RT-86U - vlanctl & ethctl usage puzzle

[LeandroBR]

@LeandroBR If I create another bridge (br1) then I will not be able to use the FreshJR QoS scrip, which seems to rely on Asus QoS by add/updating some rules on the br0. (you can find it here: https://github.com/FreshJR07/FreshJR_QOS/blob/master/FreshJR_QOS.sh).

This is the only reason why I added the 2 vlans on the same bridge.
I thought it wouldn't be an issue with the switch because it is vlan-aware and when I set vlans on it the vlans are isolated (as long as it is devices directly connected to the vlan).

Previously, following your instructions I created 2 bridges and isolated the traffic with iptables rules.
But QoS is definitely a must have in my environment so I am trying to keep things on one bridge.
In this scenario PC A and B would be on the same subnet.

(Just as an FYI the complete topology I am hoping to achieve is on https://www.snbforums.com/threads/topology-setup-help-mostly-asus-merlin-devices.61985/#post-553880, so as you can see I simplified things quite a bit to start).

Moreover, have you encountered the "protocol 0810 is buggy" error?
I guess I butchered some params somewhere....

For me this configuration does not appear to be right, or at least, not so good.
If you are tagging 2 different vlans in the same bridge, every traffic received in 1 vlan inside the bridge will fall to the other vlan and will return with different tag to the switch.

Furthermore, 2 interfaces of different VLANS in the same bridge, this is not exactly an isolation.

"protocol 0810 is buggy"

About this, I think there is no solution. I have it too. No impact at all.

 

[Michel]

For me this configuration does not appear to be right, or at least, not so good.
If you are tagging 2 different vlans in the same bridge, every traffic received in 1 vlan inside the bridge will fall to the other vlan and will return with different tag to the switch.

Furthermore, 2 interfaces of different VLANS in the same bridge, this is not exactly an isolation.

About this, I think there is no solution. I have it too. No impact at all.

Thank you for your help.
I have to investigate for the QoS with multiple bridges.
Unfortunately, I didn't get any replies from the knowledgeable guys on this topic :-(

 

[Fmstrat]

Thank you for starting this up @LeandroBR! I'm wondering if you and the community can help me out with my use case, which may be simpler than what others are asking for. I don't necessarily need multiple vlans or IPTV separation, I just need to isolate one LAN port on an RT-AX88U so that it can't get to the rest of the LAN, but can get to WAN. I'd like to set up a VLAN with a separate subnet to do this on for 1 port, but I'm not following exactly what needs to happen in the scripts to accomplish that. Any chance you could provide some guidance?

 

[Giuse1977]

Need help too.. just wondering how can I trunk native LAN VLAN with WAN VLAN.. I have a VDSL modem, a VLAN switch, and the 86u.
Between the switch and the 86u I would trunk vlan1 and vlan2, the first carrying LAN traffic, the second carrying WAN traffic. On the switch vlan1 exits untagged to some ports where a couple of hosts that need to be on LAN, vlan2 exit untagged on the modem port. This setup was working with my previous 56u and a a couple of code lines using robocfg. Now I am completely lost!

 

[Jack Yaz]

# So, the last step, if you want to communicate between LAN interfaces (1 to 4), you must disable HW Switching (this will increase the CPU usage, but my tests showed you can reach 1Gbps with no problem).
# Para funcionar tráfego entre as interfaces físicas (1 a 4), desativar o HW Switching, isto aumentará o uso de CPU, mas de acordo com os meus testes, você consegue atingir 1Gbps sem problemas.
ethswctl -c hw-switching -o disable

EDIT: this last command is necessary, it will increase the CPU usage, but if you keep the hw-switching enabled, the packats will bypass the system processing and it will work as a normal switch, not a managed one.

EDIT 2: I performed some additional tests, after disable hw-switching, it's possible to create VLAN using "normal" Linux commands, so, it's not necessary to use VLANCTL.

Coming back to this, re. edit 2 - by "normal" commands do you mean simply directly referencing the LAN ports, e.g. eth4 and no need to create VLAN interfaces, thus controlling access via ebtables/iptables?

 

[LeandroBR]

Coming back to this, re. edit 2 - by "normal" commands do you mean simply directly referencing the LAN ports, e.g. eth4 and no need to create VLAN interfaces, thus controlling access via ebtables/iptables?

No, actually, what I meant is that you don't need to use VLANCTL to create VLAN, but directly use IP LINK (it's simpler, I tested and worked):

Example:

ip link add link ethX name vlan10 type vlan id 10
ip link add link ethX name vlan20 type vlan id 20
ifconfig vlan10 192.168.10.1 netmask 255.255.255.0 up
ifconfig vlan20 192.168.11.1 netmask 255.255.255.0 up
ip addr del 192.168.A.B/24 dev ethX

Then, add these new interfaces to the bridges.

To connect Router + APs to extend guests networks, I can't think another way without using VLAN. Just controlling by ebtables/iptables, this is possible only using the same router, but not multiple (router+APs).

 

[afreire]

Hi, I need to configure VLAN for IPTV, I need to do the same that that link but we the new command instead of robocfg.

Anybody can do it?

Cheers.

 

[Deleted member 62525]

No, actually, what I meant is that you don't need to use VLANCTL to create VLAN, but directly use IP LINK (it's simpler, I tested and worked):

Example:

ip link add link ethX name vlan10 type vlan id 10
ip link add link ethX name vlan20 type vlan id 20
ifconfig vlan10 192.168.10.1 netmask 255.255.255.0 up
ifconfig vlan20 192.168.11.1 netmask 255.255.255.0 up
ip addr del 192.168.A.B/24 dev ethX

Then, add these new interfaces to the bridges.

To connect Router + APs to extend guests networks, I can't think another way without using VLAN. Just controlling by ebtables/iptables, this is possible only using the same router, but not multiple (router+APs).

If I understand this correctly we can use IP LINK and if we want to create 2 VLANS on physical port1 and port2 the code would look like this;

VLAN setup (port 1 -> eth4, port 2 -> eth3 )

ip link add link eth4 name vlan10 type vlan id 10
ip link add link eth3 name vlan20 type vlan id 20
ifconfig vlan10 192.168.100.1 netmask 255.255.255.0 up
ifconfig vlan20 192.168.200.1 netmask 255.255.255.0 up
ip addr del 192.168.A.B/24 dev eth4
ip addr del 192.168.A.B/24 dev eth3
brctl addif br0 eth4
brctl addif br0 eth3

Do we still need to disable HW acceleration?

 

[LeandroBR]

If I understand this correctly we can use IP LINK and if we want to create 2 VLANS on physical port1 and port2 the code would look like this;

VLAN setup (port 1 -> eth4, port 2 -> eth3 )

ip link add link eth4 name vlan10 type vlan id 10
ip link add link eth3 name vlan20 type vlan id 20
ifconfig vlan10 192.168.100.1 netmask 255.255.255.0 up
ifconfig vlan20 192.168.200.1 netmask 255.255.255.0 up
ip addr del 192.168.A.B/24 dev eth4
ip addr del 192.168.A.B/24 dev eth3
brctl addif br0 eth4
brctl addif br0 eth3

Do we still need to disable HW acceleration?

This command is necessary:
ethswctl -c hw-switching -o disable

Maybe, using eth0 interface for VLANs, this is not necessary, you need to test.

Below, that's wrong:

brctl addif br0 eth4
brctl addif br0 eth3

You must add the virtual interfaces into the bridge, not the physical ones.

And, what's the purpose to create 2 VLANs in 2 different physical interfaces and add them to the same bridge? This is not a trunk port. You can do this, but separete in different bridges, than you will finish with an Access Port, not a trunk one.

 

[Deleted member 62525]

If I understand this correctly we can use IP LINK and if we want to create 2 VLANS on physical port1 and port2 the code would look like this;

VLAN setup (port 1 -> eth4, port 2 -> eth3 )

ip link add link eth4 name vlan10 type vlan id 10
ip link add link eth3 name vlan20 type vlan id 20
ifconfig vlan10 192.168.100.1 netmask 255.255.255.0 up
ifconfig vlan20 192.168.200.1 netmask 255.255.255.0 up
ip addr del 192.168.A.B/24 dev eth4
ip addr del 192.168.A.B/24 dev eth3
brctl addif br0 eth4
brctl addif br0 eth3

Do we still need to disable HW acceleration?

Yes, my mistake. I am trying to understand the code and what it does.
Ultimately, my end goal is to have 2 VLANS, one per physical port. I am trying to see if
1. I do it with some code as in your examples
2. Buy something like Netgear GS308T that will allow me to create vlans

Reading the threads (I have RT-AC86U) I think it would be best to go with option 2 for stability and with GS308T one can explore even more capabilities.

 

[LeandroBR]

Yes, my mistake. I am trying to understand the code and what it does.
Ultimately, my end goal is to have 2 VLANS, one per physical port. I am trying to see if
1. I do it with some code as in your examples
2. Buy something like Netgear GS308T that will allow me to create vlans

Reading the threads (I have RT-AC86U) I think it would be best to go with option 2 for stability and with GS308T one can explore even more capabilities.

But this netgear, it’s a switch. I don’t know the features, but I believe that with Asus AC86U, being a router, you can do more.

About stability, I have absolutely no problem here using 3 VLANs for long time.

You can use 2 VLANs in 2 different physical ports, just split the new virtual ports in 2 different bridges.

 

[tobi]

Hi,

I have 3 AC68U as APs and one AC86U as main router. All I want was a guest network spanning across the APs... I had it working with the three AC68Us with one of them as the main router.... but I was affraid of setting it up with the AC86U. After reading the thread, I was ready to go and enabled the guest network on it. Then connected via ssh I tried "brctl show" and saw this:

tobi@RT-AC86U-F400:/tmp/home/root# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.244bfebcf400    yes        eth1
                            eth2
                            eth3
                            eth4
                            eth5
                            eth5.0
                            eth6
                            eth6.0
br1        8000.244bfebcf401    yes        eth1.501
                            eth2.501
                            eth3.501
                            eth4.501
                            eth5.501
                            eth6.501
                            wl0.1

br1 was already configured correctly with the stock configuration.

The only problem: my vlan was 101 on the nodes. So I changed the scripts on them to use 501 instead of 101, rebooted all devices and everything was working as it should.... I tested if the isolation was working on all nodes and was surprised that everything was working correctly.

The scripts for the AC68Us I had from this forum. In case somebody needs them, I can look them up or post them with my slight modifications....

all in all I was surprised the AC86U was ready to go basically out of the box... I guess it would even have worked with stock firmware...

 

[WifiGhost]

Hello,

At first, read EDIT 2 (At the end of this post). There is another way to configure VLAN.

After read several posts and scripts posted here (and also the one from Chinese site and others related, this Chinese site was the most important to do everything to work) I could make the VLAN working between AC86U and AC68U (both running RMerlin firmware). I tried with a Raspberry Pi 2 running OpenWRT with success.

I have 3 wifi networks:
- Main network (2,4Ghz / 5Ghz)
- Guest network (2,4Ghz / 5Ghz)
- IoT network (2,4Ghz only and AP Isolation enabled)

Each of the networks are configured in different bridges so that I can control the communication using IPTABLES.
The AC68U is in AP mode with the same 3 networks connected to AC86U using only 1 port with tagged VLAN (in this case, the routing and any other feature, like DHCP, DNS are all disabled)
The main purpose here is to explain the configuration on AC86U side, that I'm seeing there is lack of documentation, for AC68U you can find easly how to do and for Raspberry Pi, you can do it like any other Linux system using 5 or 6 commands (ip command can do everything VERY easy).

I'm just sharing what worked for me to be a start point for those who want to try, if you decide to use, it's your responsibility. If you make any mistake, be aware I can't support you to recovery your device. And finally, its important you have some knowledge for troubleshooting.

#!/bin/sh
# With this script I'm going to use eth2 (physical port 3) to be my
# Trunk port to another router Asus RT-AC68U, so that I can split my
# Wi-Fi networks (Main Network, Guest Network and IoT Network).
# Configure file resolv.conf to make it to use the router itself as DNS Server, instead ONT. It's important if you are using DNSCrypt.

# Configura o arquivo resolv.conf para apontar apenas pra loopback, usando assim o DNSCrypt configurado
echo "nameserver 127.0.0.1" > /tmp/resolv.conf

# Remove the interface eth2 from br0 (to use it as trunk with 802.1Q Tags). This interface can't be inside any bridge.
# Remove a interface eth2 da br0 (para utilizar como Trunk) e cria as VLANs com TAG. Esta interface não pode estar em nenhum bridge
brctl delif br0 eth2

# Creating VLAN 100 and the Input / Output rules (main network)
# Criando a VLAN 100 e as regras de entrada e saída (rede principal)
vlanctl --mcast --if-create eth2 100
vlanctl --if eth2 --rx --tags 1 --filter-vid 100 0 --pop-tag --set-rxif eth2.v100 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v100 --push-tag --set-vid 100 0 --rule-append
ifconfig eth2.v100 up

# Creating VLAN 200 and the Input / Output rules (guest network)
# Criando a VLAN 200 e as regras de entrada e saída (rede de convidados)
vlanctl --mcast --if-create eth2 200
vlanctl --if eth2 --rx --tags 1 --filter-vid 200 0 --pop-tag --set-rxif eth2.v200 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v200 --push-tag --set-vid 200 0 --rule-append
ifconfig eth2.v200 up

# Creating VLAN 300 and the Input / Output rules (IoT network)
# Criando a VLAN 300 e as regras de entrada e saída (rede IoT)
vlanctl --mcast --if-create eth2 300
vlanctl --if eth2 --rx --tags 1 --filter-vid 300 0 --pop-tag --set-rxif eth2.v300 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v300 --push-tag --set-vid 300 0 --rule-append
ifconfig eth2.v300 up

# This is a very important step, otherwithse (if keep in ONT mode), the broadcasts received in 1 VLAN will be spread to others and your DHCP will become crazy.
# Este passo é muito importante, para evitar que os broadcasts em uma VLAN sejam divulgados em outras, caso contrário haverá problemas com o DHCP.
vlanctl --if eth2 --set-if-mode-rg

# This command is not in the help page of vlanctl, but I found the tx table is ACCEPT by default, so, I changed to DROP. I think if not rule matches, then the packet will be blocked.
# Este comando não está na página de ajuda do commando vlanctl, mas percebi que a tabela de tx sempre é criada com política ACCEPT por padrão, então alterai para DROP. Acredito que se nenhuma regra bater, o pacote é bloqueado.
vlanctl --if eth2 --tx --tags 0 --default-miss-drop

# Organize the bridges, in my case, I have an additional WiFi 2,4/5Ghz for guests and only one 2,4Ghz for IoT (no need 5Ghz for IoT, at least for me).
# Arruma as bridges (br0 br1 br2), no meu caso tenho uma rede adicionao de 2,4/5Ghz para convidados e apenas uma de 2,4Ghz para IoT (não preciso de 5Ghz para IoT)
brctl stp br0 on
brctl addbr br1
brctl addbr br2
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl addif br0 eth2.v100
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 eth2.v200
brctl addif br2 wl0.2
brctl addif br2 eth2.v300

# Define IPs for new bridges
# Define os IPs para as novas bridges
ifconfig br1 192.168.20.1 netmask 255.255.255.0 up
ifconfig br2 192.168.30.1 netmask 255.255.255.0 up

# Adjust NVRAM config
# Ajusta configs do NVRAM
nvram set lan_ifnames="eth1 eth2.v100 eth3 eth4 eth5 eth6"
nvram set br0_ifnames="eth1 eth2.v100 eth3 eth4 eth5 eth6"
nvram set br1_ifname=br1
nvram set br1_ifnames="eth2.v200 wl0.1 wl1.1"
nvram set lan1_ifname=br1
nvram set lan1_ifnames="eth2.v200 wl0.1 wl1.1"
nvram set br2_ifname=br2
nvram set br2_ifnames="eth2.v300 wl0.2"
nvram set lan2_ifname=br2
nvram set lan2_ifnames="eth2.v300 wl0.2"
nvram set wl0.2_ap_isolate="1"
nvram commit

# eapd restart (when change NVRAM, it's necessary)
# Restart eapd (autenticacao wifi, necessário quando altera a NVRAM)
killall eapd
eapd

# So, the last step, if you want to communicate between LAN interfaces (1 to 4), you must disable HW Switching (this will increase the CPU usage, but my tests showed you can reach 1Gbps with no problem).
# Para funcionar tráfego entre as interfaces físicas (1 a 4), desativar o HW Switching, isto aumentará o uso de CPU, mas de acordo com os meus testes, você consegue atingir 1Gbps sem problemas.
ethswctl -c hw-switching -o disable

EDIT: this last command is necessary, it will increase the CPU usage, but if you keep the hw-switching enabled, the packats will bypass the system processing and it will work as a normal switch, not a managed one.

EDIT 2: I performed some additional tests, after disable hw-switching, it's possible to create VLAN using "normal" Linux commands, so, it's not necessary to use VLANCTL.

do you have a bridge reset script as well or is that not needed on HND devices?

 

[HearToLearn]

this is what yazfi does now (minus bridging). i'm thinking of APs running guest networks, associating a vlan to all guest traffic for an upstream router to firewall appropriately

This would be amazing addition! The addon is perfect for it, was gutted when I realised AP isn't supported.

 

[Paul Smedley]

this is what yazfi does now (minus bridging). i'm thinking of APs running guest networks, associating a vlan to all guest traffic for an upstream router to firewall appropriately

Hi @Jack Yaz did you ever make any progress with yazfi for APs running guest networks?

 

[Dandadude]

Hello!

This is a great thread, thanks all, especially @LeandroBR !

What I am trying to achieve on my AC86U is that all LAN ports be seperated from eachother's traffic (probably with VLANs), but still be able to have internet connection (through the wAN port of course that is connected with PPP).
Also it would be requested that for instance port_#4 (eth1) also reach a single IP's single port within for instance port_#1 (eth4), which is a printer by the way.

How do you think I can achieve this?
I was happy to find this (it seems to be what I need with only port_#4 seperation), but I recently found out that I have chosen the wrong router that does not support robocfg:

Force LAN port 4 to use the Guest network for Asus/merlin RT-AC68U

Hi, I am going to be trying to add a VLAN to port 4 on my RT-AC68 with Merlin firmware and am a COMPLETE noob. 1. Is there any specific naming convention/specific names for the scripts I will be adding to the jffs/scripts directory? (I assume I will be adding a new script and not modifying an...

www.snbforums.com

I have been studying the examples given in this current thread, but I cannot really find the solution for this :-(

I really need this going :-(

Thanks very much!

 

[DiliMe]

After read several posts and scripts posted here (and also the one from Chinese site and others related, this Chinese site was the most important to do everything to work) I could make the VLAN working between AC86U and AC68U (both running RMerlin firmware).

Hi LeandroBR,
I really appreciate your work on the VLAN of HND routers, it looks that in the last 2 years it hasn't much adevance here on the SNB forum related to VLANs.

Can you please guide me into the steps and the vlanctl commands for changing the physical Port4 (eth1) so that it has the same restrictions as Guest wireless (VLAN 501 that is already created by Asus when setting "Access intranet=disable" on the Guest wireless)?
I looks that eth1 needs to be changed from tagged trunk (native vlan=1) ==> into ==> untagged port (access mode) associated with VLAN 501 and then also to be removed from br0 . It looks that interface eth1.501 is already member of br1 (as part of the Asus default config when setting "Access intranet=disable").

Thank you!

 

[PaulA]

@DiliMe See here: https://www.snbforums.com/threads/p...erlin-w-tagged-internet-isp.89677/post-902942
Paul