RT-86U - vlanctl & ethctl usage puzzle

[Quentin Dumay]

Hi,

Thanks a lot for your reply !
I tried the settings today but unfortunately didn't manage to make it work...
But I'm (very!) far from an expert in network configuration and don't know if the solution is not OK or if I screwed up somewhere in the process...

Not sure I understood this properly :

You need to change all the NVRAM interfaces related settings, as well the WAN parameters to match with new br2 interface.

And I had troubles with : ifconfig br2 <Router WAN IP> <Router WAN mask> up :
...@RT-AX88U/# ifconfig br2 192.168.0.132 255.255.255.0 up
ifconfig: SIOCSIFADDR: Invalid argument
...@RT-AX88U:/# ifconfig br2 192.168.0.132/255.255.255.0 up
ifconfig: invalid number '255.255.255.0'

 

[ika]

And I had troubles with : ifconfig br2 <Router WAN IP> <Router WAN mask> up :

IIrc it is either

............WAN IP> netmask <Router...........

or just

".............WAN IP> up"

 

[LeandroBR]

Hi,

Thanks a lot for your reply !
I tried the settings today but unfortunately didn't manage to make it work...
But I'm (very!) far from an expert in network configuration and don't know if the solution is not OK or if I screwed up somewhere in the process...

Not sure I understood this properly :


And I had troubles with : ifconfig br2 <Router WAN IP> <Router WAN mask> up :
...@RT-AX88U/# ifconfig br2 192.168.0.132 255.255.255.0 up
ifconfig: SIOCSIFADDR: Invalid argument
...@RT-AX88U:/# ifconfig br2 192.168.0.132/255.255.255.0 up
ifconfig: invalid number '255.255.255.0'

As explained by ika (thanks for this), I forgot the "netmask" parameter.

#ifconfig <wan ip> netmask <wan mask> up

About nvram, you need to change accordingly to the new configuration. At least like below:

#nvram set wan_ifnames=br2
#nvram set wan_ifname=br2
#nvram set wan0_ifname=br2
#nvram set igmp_ifname=br2
#nvram set wan0_gw_ifname=br2

#nvram set lan_ifnames="eth1.v100 eth2 eth3 eth4 eth5 eth6" ##Additional WiFi network, like guests, are not here, if you create one, you need to add to br0 (wl0.1, wl1.1, etc)
#nvram set br0_ifnames="eth1.v100 eth2 eth3 eth4 eth5 eth6" ##Additional WiFi network, like guests, are not here, if you create one, you need to add to br0 (wl0.1, wl1.1, etc)
#nvram set lan3_ifname=br3
#nvram set lan3_ifnames="eth1.v100 eth0.v100"

#nvram unset br2_ifname
#nvram unset br2_ifnames
#nvram unset lan2_ifname

#nvram commit

#killall eapd
#eapd


But, remember, the packets from IPTV MUST be tagged by IPTV (or external switch). This configuration will not tag any vlan, just passthrough the vlan tagged packets inside the br3.
After you apply this configuration and the short firewall script (in previous post), test the internet...

And another thing, this script is for AC86U, you are trying in AX88U. If the hardware/driver is different, maybe it changes everything.

 

[Michel]

Hi @LeandroBR and everyone else of course!
You seem one of the only users that has managed to make VLAN work with the AC86U.

I have been struggling with this VLAN topic for quite some time now, I am glad people made a breakthrough.
However, despite seeing that it works well for you I still didn't manage to make it work.

I have included a photo with a simple topology, 2 VLAN behind a VLAN-aware switch with laptop A in VLAN 1 and laptop B in VLAN 2 (the idea is to isolate VLAN 1 and VLAN 2).

The AC86U router port 4 is connecting to port 1 of the Netgear switch JGS524E.
Laptop A is connected to its port 2 and Laptop B to port 3 of the switch.

Following the instruction on this forum threads, and others, so far I have this:

services-start
brctl delif br0 eth1
vlanctl --mcast --if-create eth1 100
vlanctl --if eth1 --rx --tags 1 --filter-vid 100 0 --pop-tag --set-rxif eth1.v100 --rule-append
vlanctl --if eth1 --tx --tags 0 --filter-txif eth1.v100 --push-tag --set-vid 100 0 --rule-append
ifconfig eth1.v100 up
vlanctl --mcast --if-create eth1 200
vlanctl --if eth1 --rx --tags 1 --filter-vid 200 0 --pop-tag --set-rxif eth1.v200 --rule-append
vlanctl --if eth1 --tx --tags 0 --filter-txif eth1.v200 --push-tag --set-vid 200 0 --rule-append
ifconfig eth1.v200 up
vlanctl --if eth1 --set-if-mode-rg
vlanctl --if eth1 --tx --tags 0 --default-miss-drop

brctl stp br0 on
brctl addif br0 eth1.v100

brctl addbr br1
brctl addif br1 eth1.v200
ifconfig br1 192.168.2.1 netmask 255.255.255.0 up

nvram set lan_ifnames="eth1.v100 eth2 eth3 eth4 eth5 eth6" # not sure why eth1.v200 is not added in lan_ifnames
nvram set br0_ifnames="eth1.v100 eth2 eth3 eth4 eth5 eth6"
nvram set br1_ifname=br1
nvram set br1_ifnames="eth1.v200"
nvram set lan1_ifname=br1
nvram set lan1_ifnames="eth1.v200"
nvram commit

killall eapd
eapd

ethswctl -c hw-switching -o disable

dnsmasq.conf.add
interface=br1
dhcp-range=tag:br1,192.168.2.100,192.168.2.150,255.255.255.0,1440m
dhcp-option=tag:br1,3,192.168.2.1


firewall-start
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br1 -j MASQUERADE

Switch configuration:
I create 2 VLAN: 100 and 200
On VLAN 100: Port 1 is tagged and Port 2 is untagged
On VLAN 200: Port 1 is tagged and Port 3 is untagged

Unfortunately, it does not work...
Can you see any obvious errors in the process I've listed above?

 

[clifton.stokes]

This is my topology. I am looking for some help to get the right iptables rules and dnsmasque rules set up.

The AP should be easy but I do not understand some of the options to set things up. BTW the main router is a RT-AC86U and the AP are RT-AC68U's

Any help would be appreciated.

 

[LeandroBR]

Hi @LeandroBR and everyone else of course!
You seem one of the only users that has managed to make VLAN work with the AC86U.

I have been struggling with this VLAN topic for quite some time now, I am glad people made a breakthrough.
However, despite seeing that it works well for you I still didn't manage to make it work.

I have included a photo with a simple topology, 2 VLAN behind a VLAN-aware switch with laptop A in VLAN 1 and laptop B in VLAN 2 (the idea is to isolate VLAN 1 and VLAN 2).

The AC86U router port 4 is connecting to port 1 of the Netgear switch JGS524E.
Laptop A is connected to its port 2 and Laptop B to port 3 of the switch.

Following the instruction on this forum threads, and others, so far I have this:

services-start
brctl delif br0 eth1
vlanctl --mcast --if-create eth1 100
vlanctl --if eth1 --rx --tags 1 --filter-vid 100 0 --pop-tag --set-rxif eth1.v100 --rule-append
vlanctl --if eth1 --tx --tags 0 --filter-txif eth1.v100 --push-tag --set-vid 100 0 --rule-append
ifconfig eth1.v100 up
vlanctl --mcast --if-create eth1 200
vlanctl --if eth1 --rx --tags 1 --filter-vid 200 0 --pop-tag --set-rxif eth1.v200 --rule-append
vlanctl --if eth1 --tx --tags 0 --filter-txif eth1.v200 --push-tag --set-vid 200 0 --rule-append
ifconfig eth1.v200 up
vlanctl --if eth1 --set-if-mode-rg
vlanctl --if eth1 --tx --tags 0 --default-miss-drop

brctl stp br0 on
brctl addif br0 eth1.v100

brctl addbr br1
brctl addif br1 eth1.v200
ifconfig br1 192.168.2.1 netmask 255.255.255.0 up

nvram set lan_ifnames="eth1.v100 eth2 eth3 eth4 eth5 eth6" # not sure why eth1.v200 is not added in lan_ifnames
nvram set br0_ifnames="eth1.v100 eth2 eth3 eth4 eth5 eth6"
nvram set br1_ifname=br1
nvram set br1_ifnames="eth1.v200"
nvram set lan1_ifname=br1
nvram set lan1_ifnames="eth1.v200"
nvram commit

killall eapd
eapd

ethswctl -c hw-switching -o disable

dnsmasq.conf.add
interface=br1
dhcp-range=tag:br1,192.168.2.100,192.168.2.150,255.255.255.0,1440m
dhcp-option=tag:br1,3,192.168.2.1


firewall-start
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br1 -j MASQUERADE

Switch configuration:
I create 2 VLAN: 100 and 200
On VLAN 100: Port 1 is tagged and Port 2 is untagged
On VLAN 200: Port 1 is tagged and Port 3 is untagged

Unfortunately, it does not work...
Can you see any obvious errors in the process I've listed above?

Hi,

Check the results

# ip link show (check if eth1 and subinterfaces are up)
# brctl show (check if all the bridges are right)

# tcpdump -i eth1 -e vlan -nn and port 67 (check if you can see the PCs trying to get IP). With this dump you will be able to see the tagged packets. Check if you can see any packet. Remove the parameters “and port 67” to capture everything.

Your script for VLAN part appear to be right, as well for NVRAM.

Have you tried to use VLAN between this switch and any other device?

 

[Michel]

Hi @LeandroBR ,

Bridges seem to be up with the proper interfaces and IPs.
I thought I would try something simpler just to see if it could be my router (unfortunately the router lost its temper and I had to reset it and lost my /jffs partition...).

I wanted to try the simple scenario you have mentioned to Jack Yaz, but even make it simpler by simply put a guest network on a different bridge.

#services-start
brctl delif br0 wl0.1

brctl addbr br1
brctl addif br1 wl0.1
ifconfig br1 192.168.2.1 netmask 255.255.255.0 up

nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6"
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6"

nvram set br1_ifname=br1
nvram set br1_ifnames="wl0.1"
nvram set lan1_ifname=br1
nvram set lan1_ifnames="wl0.1"
nvram commit

killall eapd
eapd

ethswctl -c hw-switching -o disable

#dnsmasq.conf.add
interface=br1
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,1440m
dhcp-option=br1,3,192.168.2.1

When I try to connect my laptop to the guest network it looks the DHCP request is received but does not send an IP back:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wl0.1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:44:04.713796 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 6c:40:08:bb:fd:68, length 300
19:44:06.964777 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 6c:40:08:bb:fd:68, length 300
19:44:11.812919 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 6c:40:08:bb:fd:68, length 300

I feel that if I could manage to make this simpler scenario work then maybe I would have a chance to make the more advanced one with VLAN work.

Or do you suggest another approach?

P.S: QoS is disable on my router, and the MAC address for the laptop is not in the DHCP manual assignment under the LAN > DHCP server.

 

[LeandroBR]

Hi @LeandroBR ,

Bridges seem to be up with the proper interfaces and IPs.
I thought I would try something simpler just to see if it could be my router (unfortunately the router lost its temper and I had to reset it and lost my /jffs partition...).

I wanted to try the simple scenario you have mentioned to Jack Yaz, but even make it simpler by simply put a guest network on a different bridge.

#services-start
brctl delif br0 wl0.1

brctl addbr br1
brctl addif br1 wl0.1
ifconfig br1 192.168.2.1 netmask 255.255.255.0 up

nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6" # not sure why eth1.v200 is not added in lan_ifnames
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6"

nvram set br1_ifname=br1
nvram set br1_ifnames="wl0.1"
nvram set lan1_ifname=br1
nvram set lan1_ifnames="wl0.1"
nvram commit

killall eapd
eapd

ethswctl -c hw-switching -o disable

#dnsmasq.conf.add
interface=br1
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,1440m
dhcp-option=br1,3,192.168.2.1

When I try to connect my laptop to the guest network it looks the DHCP request is received but does not send an IP back:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wl0.1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:44:04.713796 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 6c:40:08:bb:fd:68, length 300
19:44:06.964777 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 6c:40:08:bb:fd:68, length 300
19:44:11.812919 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 6c:40:08:bb:fd:68, length 300

I feel that if I could manage to make this simpler scenario work then maybe I would have a chance to make the more advanced one with VLAN work.

Or do you suggest another approach?

P.S: QoS is disable on my router, and the MAC address for the laptop is not in the DHCP manual assignment under the LAN > DHCP server.

Check firewall INPUT rule for br1, you need to release the port 67, otherwise, no IP will be delivered.

After you get IP on your PC, if you are using the router as your DNS server, do not forget to release INPUT port 53.

 

[Michel]

@LeandroBR progress!!!!

My firewall INPUT rule for br1 is

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
target prot opt in out source destination
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
DROP all -- * * 0.0.0.0/0 0.0.0.0/0

I actually thought that the 5th rule would be the one but apparently not...
DHCP server port is supposed to be 67 and the client 68 so I am surprised it is inverted here. Is this for my WAN connection?

Anyway I added:
ACCEPT all -- br1 * 0.0.0.0/0 0.0.0.0/0 state NEW

and I got an IP assigned! Thanks!

About the DNS, I looked for the port 53 as you've mentioned and I don't see in the INPUT chain what I should add considering that the rules for br0 and br1 are the same now.
Moreover, I am using the DNS-over-TLS option in the GUI so the port should be 853...

Ultimately it looks like I had to add those 2 rules to the PREROUTING chain in the NAT table.
iptables -t nat -A PREROUTING -i br1 -s 192.168.2.0/24 -p udp --dport 53 -j DNSFILTER
iptables -t nat -A PREROUTING -i br1 -s 192.168.2.0/24 -p tcp --dport 53 -j DNSFILTER

From there I added the other rules to allow the traffic to go through in the FORWARD chain and it works.
So now I can finally start playing with the VLAN with the simpler topology I've mentioned my previous post.

Thanks dude!

 

[LeandroBR]

@LeandroBR progress!!!!

My firewall INPUT rule for br1 is

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
target prot opt in out source destination
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
DROP all -- * * 0.0.0.0/0 0.0.0.0/0

I actually thought that the 5th rule would be the one but apparently not...
DHCP server port is supposed to be 67 and the client 68 so I am surprised it is inverted here. Is this for my WAN connection?

Anyway I added:
ACCEPT all -- br1 * 0.0.0.0/0 0.0.0.0/0 state NEW

and I got an IP assigned! Thanks!

About the DNS, I looked for the port 53 as you've mentioned and I don't see in the INPUT chain what I should add considering that the rules for br0 and br1 are the same now.
Moreover, I am using the DNS-over-TLS option in the GUI so the port should be 853...

Ultimately it looks like I had to add those 2 rules to the PREROUTING chain in the NAT table.
iptables -t nat -A PREROUTING -i br1 -s 192.168.2.0/24 -p udp --dport 53 -j DNSFILTER
iptables -t nat -A PREROUTING -i br1 -s 192.168.2.0/24 -p tcp --dport 53 -j DNSFILTER

From there I added the other rules to allow the traffic to go through in the FORWARD chain and it works.
So now I can finally start playing with the VLAN with the simpler topology I've mentioned my previous post.

Thanks dude!

That's good!!!

About this:
DHCP server port is supposed to be 67 and the client 68 so I am surprised it is inverted here. Is this for my WAN connection?

That's exactly what I said. Server side listen at port 67, so, just release the port 67. No need others.
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

 

[Michel]

That's good!!!

About this:
DHCP server port is supposed to be 67 and the client 68 so I am surprised it is inverted here. Is this for my WAN connection?

That's exactly what I said. Server side listen at port 67, so, just release the port 67. No need others.
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

Sorry I wasn't clear
I wasn't doubting what you've said, I just noticed that my firewall already had the following rule: ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 and I was just wondering why it is there ;-)

 

[clifton.stokes]

Thanks for your explanation. I am trying to understand to how you separate the guest network from the main network. I see the wl0.1 and wl0.2 in your script. What connects them to the correct SSID. Is there something that I am missing.
I see that the wl0.1 is the 2.4 ghz and wl1.1 is the 5 ghz.

I want to just create the bridge with the two wireless networks in it and then set it to a vlan.

This is what I am seeing should work so far, but I don't want to remove the main wireless from br0 just the guest networks.
I am still trying figure out the vlan set up. I don't want to use port based because I am also using the AP as switches to connect other devices and it is just wireless that I want to separate and send.
Any suggestions would be appreciated.

Thanks

#services-start on main router

# Organize the bridges one additional WiFi 2,4/5Ghz for guests

# delete wireless lan 0.1 from bridge 0 (2.4 ghz guest)
brctl delif br0 wl0.1
# delete wireless lan 1.1 from bridge 0 (5 ghz guest)
brctl delif br0 wl1.1
# create bridge 1
brctl addbr br1
# add wireless lan 0.1 to bridge 1
brctl addif br1 wl0.1
# add wireless lan 1.1 to bridge 1
brctl addif brl wl1.1
# set IP range for Guest network
ifconfig br1 192.168.1.1 netmask 255.255.255.0 up

# Adjust NVRAM settings
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6"
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6"

nvram set br1_ifname=br1
nvram set br1_ifnames="wl0.1 wl1.1"
nvram set lan1_ifname=br1
nvram set lan1_ifnames="wl0.1 wl1.1"
nvram commit

# eapd restart (required with NVRAM change)
killall eapd
eapd

# connect LAN interfaces together
ethswctl -c hw-switching -o disable

 

[LeandroBR]

If you are not going to separate the physical ports, I DO NOT recommend the command below, take it out. This will increase a lot your CPU usage for nothing. Use it only if necessary (in my case, it was necessary for ports communication when they are in different bridges).

# connect LAN interfaces together
ethswctl -c hw-switching -o disable #remove this, to keep ENABLED.

 

[Michel]

@LeandroBR Hiya! Definitely making progress here!
I was wondering if you've tried to use the FreshJR QoS script?

It made such a big improvement in my home network.
However, I am going his script and see the rules he sets in place are all on the interface br0.

I am wondering if you are using the script and if you have an opinion about it or QoS on multiple interfaces.

 

[LeandroBR]

@LeandroBR Hiya! Definitely making progress here!
I was wondering if you've tried to use the FreshJR QoS script?

It made such a big improvement in my home network.
However, I am going his script and see the rules he sets in place are all on the interface br0.

I am wondering if you are using the script and if you have an opinion about it or QoS on multiple interfaces.

I never tried this script.
I just have my own script that I made for guest network. I can limit download and upload starting the script anytime (start/stop). You can do this using “tc”.

But it sets a limit only on specific interface.
It means I can’t balance the download between main and guest networks.

 

[Jack Yaz]

@LeandroBR
What is the corresponding syntax to remove the VLAN configuration, i.e. the opposite to:

vlanctl --mcast --if-create wl0.2 100
vlanctl --if wl0.2 --rx --tags 1 --filter-vid 100 0 --pop-tag --set-rxif wl0.2.v100 --rule-append
vlanctl --if wl0.2--tx --tags 0 --filter-txif wl0.2.v100 --push-tag --set-vid 100 0 --rule-append

EDIT: Am I correct that those 3 lines are all that are needed to manipulate vlanctl to create the vlan interface? i.e. all traffic via interface wl0.2 will be part of vlan 100?

I'm aware you also need to bring it up via ifconfig and update nvram for eapd etc., but I have working code for that already ;-)

 

[LeandroBR]

@LeandroBR
What is the corresponding syntax to remove the VLAN configuration, i.e. the opposite to:

vlanctl --mcast --if-create wl0.2 100
vlanctl --if wl0.2 --rx --tags 1 --filter-vid 100 0 --pop-tag --set-rxif wl0.2.v100 --rule-append
vlanctl --if wl0.2--tx --tags 0 --filter-txif wl0.2.v100 --push-tag --set-vid 100 0 --rule-append

EDIT: Am I correct that those 3 lines are all that are needed to manipulate vlanctl to create the vlan interface? i.e. all traffic via interface wl0.2 will be part of vlan 100?

I'm aware you also need to bring it up via ifconfig and update nvram for eapd etc., but I have working code for that already ;-)

The command to remove:
vlanctl --if-delete wl0.2.v100

In my tests, it was not even necessary to set interface down or remove from the bridge. It was just deleted directly.
But, I'm really curious to know if VLAN Tag works over WIFI (I don't think so), because that's what this configuration will try to do.

I made it different. In my case (my current configuration at home), I created all the VLAN Tags in a physical interface and then I included the WiFi interfaces in the same bridge where I've included the VLAN interface. It means the WiFi traffic is never tagged, it's only tagged when go inside the trunk port to "talk" to other AP or router.

I will PM a scheme to you.

EDIT: I made a research, VLAN tag will not work over wifi. It must be done in physical interfaces. But reading your question again, probably that's not what you meant (using tags over wifi).
The concept of VLAN in AC86U is different from others (Like AC68U). Usually you create the VLAN and add ports inside this VLAN (and choose which ports will be tagged). But in AC86U you need to create a sub-interface of a physical interface to be used as VLAN. In this case, you can't add ports inside the VLAN, but put them together into a bridge.

 

[Michel]

Hi @LeandroBR, and of course everyone else,

Thanks again for the process you made possible on the AC86U.

I am wondering if you have some insights into those 2 issues:

1. After creating the vlans, my syslog file is being flooded with the message "protocol 8100 is buggy" for my interface eth1.

2. Few messages ago I have posted a simple topology:

- AC86U has 2 vlans created on eth1 (pt4) and they are part of bridge br0.
- Netgear switch has a vlan "1" with no ports.
- Netgear switch has a vlan "100" with pt1 tagged and pt2 untagged.
- Netgear switch has a vlan "200" with pt1 tagged and pt2 untagged.
- Netgear pt1 and pt2's PVID are 100 and pt3's PVID is 200.

Currently, the laptop A cannot ping laptop B.
This is expected as the switch p2 is not part of vlan 200 and pt3 is not part of vlan 100.

My issue is that if a laptop C is connected on the AC86U, it can ping laptop B.
I thought by using PVID 100 on the pt1 of the tagged port of the Netgear switch, then it would use by default
vlan 100 but it does not look like it works that way.

My goal is to isolate my network and to make sure that the vlan 100 and 200 are completely isolated.
I could achieve this isolation by assigning each vlan in different bridge and have appropriate itables rules but then I will not be able to use the FreshFR QoS script (which really makes a bit difference in my home topology).

++++++++++++++++++++++++++++++++++++++++++++++++++++
The script:

#!/bin/sh
brctl delif br0 eth1

vlanctl --mcast --if-create eth1 100
vlanctl --if eth1 --rx --tags 1 --filter-vid 100 0 --pop-tag --set-rxif eth1.v100 --rule-append
vlanctl --if eth1 --tx --tags 0 --filter-txif eth1.v100 --push-tag --set-vid 100 0 --rule-append
ifconfig eth1.v100 up

vlanctl --mcast --if-create eth1 200
vlanctl --if eth1 --rx --tags 1 --filter-vid 200 0 --pop-tag --set-rxif eth1.v200 --rule-append
vlanctl --if eth1 --tx --tags 0 --filter-txif eth1.v200 --push-tag --set-vid 200 0 --rule-append
ifconfig eth1.v200 up

vlanctl --if eth1 --set-if-mode-rg

vlanctl --if eth1 --tx --tags 0 --default-miss-drop

brctl stp br0 on
brctl addif br0 eth1.v100
brctl addif br0 eth1.v200

nvram set lan_ifnames="eth1.v100 eth1.v200 eth2 eth3 eth4 eth5 eth6 wl0.1"
nvram set br0_ifnames="eth1.v100 eth1.v200 eth2 eth3 eth4 eth5 eth6 wl0.1"
nvram commit

killall eapd
eapd

# ethswctl -c hw-switching -o disable

 

[LeandroBR]

brctl stp br0 on
brctl addif br0 eth1.v100
brctl addif br0 eth1.v200

You have included 2 tagged vlans (With different tags) in the same bridge. Why this?

Try to create a new bridge (br1) and split these 2 virtual interfaces .v100 and .v200 into different bridges.

PC A and PC B are sharing the same IP subnet?

 

[Michel]

You have included 2 tagged vlans (With different tags) in the same bridge. Why this?

Try to create a new bridge (br1) and split these 2 virtual interfaces .v100 and .v200 into different bridges.

PC A and PC B are sharing the same IP subnet?

@LeandroBR If I create another bridge (br1) then I will not be able to use the FreshJR QoS scrip, which seems to rely on Asus QoS by add/updating some rules on the br0. (you can find it here: https://github.com/FreshJR07/FreshJR_QOS/blob/master/FreshJR_QOS.sh).

This is the only reason why I added the 2 vlans on the same bridge.
I thought it wouldn't be an issue with the switch because it is vlan-aware and when I set vlans on it the vlans are isolated (as long as it is devices directly connected to the vlan).

Previously, following your instructions I created 2 bridges and isolated the traffic with iptables rules.
But QoS is definitely a must have in my environment so I am trying to keep things on one bridge.
In this scenario PC A and B would be on the same subnet.

(Just as an FYI the complete topology I am hoping to achieve is on https://www.snbforums.com/threads/topology-setup-help-mostly-asus-merlin-devices.61985/#post-553880, so as you can see I simplified things quite a bit to start).

Moreover, have you encountered the "protocol 0810 is buggy" error?
I guess I butchered some params somewhere....