What's new

RT-86U - vlanctl & ethctl usage puzzle

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rene1978

New Around Here
All,

While the search revealed several hits on the vlanctl and ethctl commands used in the new Broadcom chips, as in the RT-86U, there is not yet a definitive guide or howto on to properly use them to control the VLANs on these routers. Obviously in contrast to the more we’ll known robocfg command in other Asus routers.

Now I am aware that a documentation page for both vlanctl and ethctl were posted earlier, but unfortunately I am not savvy enough to fully understand this and figure it out. There is also some documentation on this page: http://chunchaichang.blogspot.com/2016/06/vlanctl-command-for-broadcom.html

I am wondering if this community, of whom a significant amount of people use the RT-86U, would be interested to figure it out based on the available commandline documentation? We could use this thread to figure it out. I am kind of hoping that the more tech savvy and experts in this forum are willing to help out?

BTW: new to the forum and hoping that this post does not bust any rules.
 
Yes I would be very interested as I would like to use my WAN port as a LAN port on my ac86u. On my previous router ac3200 I used robocfg for this purpose. Would like to know how to use this command to convert WAN to 5th LAN port.
 
Has there been any progress here? I am about to use a linksys DDWRT router to do VLAN, and I have these beautiful, powerful AX88Us that I would prefer to use.
 
Has there been any progress here? I am about to use a linksys DDWRT router to do VLAN, and I have these beautiful, powerful AX88Us that I would prefer to use.
No, unfortunately not. I do not need VLAN at the moment as my ISP does not support IPTV af the moment
 
Has there been any progress here? I am about to use a linksys DDWRT router to do VLAN, and I have these beautiful, powerful AX88Us that I would prefer to use.

Hi, same thing here. Have this beautiful brand new AX88U and would like to dedicate a LAN port to a seperate VLAN. As a matter of fact i'd like to find out more about these basic scenarios:

- Wired client being able to access intranet, but not internet
- Wired client being able to access internet, but not intranet
- Wireless client being able to access intranet, but not internet
- Wireless client being able to access internet, but not intranet (can be done via GUI guest network)
 
Last edited:
Thanks a lot for your work !
This is the most advanced related to vlanctl work I found.

I've tried multiple times to use your code/explanations to create a script which would help me to create a VLAN100 Tagged on my RT-AX88U router but I didn't manage to make it work :)

Would you be willing to help ?
:)
 
Last edited by a moderator:
Hello,

Thank you for your suggestions for pages to read (I already knew about them by doing some research beforehand), but I don't have to be smart enough to understand everything!

What I'm trying to reproduce on my AX88U is the following commands that worked before on my AC68U. With the pages you advise me to read, have you understood how to transpose these 2 commands, please?

# Create VLAN 100 tagged on port 0 and 4
robocfg vlan 100 ports "0t 4t"
# Add the vlan Interface
vconfig add eth0 100

Thank you !
 
Hello,

At first, read EDIT 2 (At the end of this post). There is another way to configure VLAN.

After read several posts and scripts posted here (and also the one from Chinese site and others related, this Chinese site was the most important to do everything to work) I could make the VLAN working between AC86U and AC68U (both running RMerlin firmware). I tried with a Raspberry Pi 2 running OpenWRT with success.

I have 3 wifi networks:
- Main network (2,4Ghz / 5Ghz)
- Guest network (2,4Ghz / 5Ghz)
- IoT network (2,4Ghz only and AP Isolation enabled)

Each of the networks are configured in different bridges so that I can control the communication using IPTABLES.
The AC68U is in AP mode with the same 3 networks connected to AC86U using only 1 port with tagged VLAN (in this case, the routing and any other feature, like DHCP, DNS are all disabled)
The main purpose here is to explain the configuration on AC86U side, that I'm seeing there is lack of documentation, for AC68U you can find easly how to do and for Raspberry Pi, you can do it like any other Linux system using 5 or 6 commands (ip command can do everything VERY easy).

I'm just sharing what worked for me to be a start point for those who want to try, if you decide to use, it's your responsibility. If you make any mistake, be aware I can't support you to recovery your device. And finally, its important you have some knowledge for troubleshooting.

#!/bin/sh

# With this script I'm going to use eth2 (physical port 3) to be my
# Trunk port to another router Asus RT-AC68U, so that I can split my
# Wi-Fi networks (Main Network, Guest Network and IoT Network).
# Configure file resolv.conf to make it to use the router itself as DNS Server, instead ONT. It's important if you are using DNSCrypt.

# Configura o arquivo resolv.conf para apontar apenas pra loopback, usando assim o DNSCrypt configurado
echo "nameserver 127.0.0.1" > /tmp/resolv.conf

# Remove the interface eth2 from br0 (to use it as trunk with 802.1Q Tags). This interface can't be inside any bridge.
# Remove a interface eth2 da br0 (para utilizar como Trunk) e cria as VLANs com TAG. Esta interface não pode estar em nenhum bridge
brctl delif br0 eth2

# Creating VLAN 100 and the Input / Output rules (main network)
# Criando a VLAN 100 e as regras de entrada e saída (rede principal)
vlanctl --mcast --if-create eth2 100
vlanctl --if eth2 --rx --tags 1 --filter-vid 100 0 --pop-tag --set-rxif eth2.v100 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v100 --push-tag --set-vid 100 0 --rule-append
ifconfig eth2.v100 up


# Creating VLAN 200 and the Input / Output rules (guest network)
# Criando a VLAN 200 e as regras de entrada e saída (rede de convidados)
vlanctl --mcast --if-create eth2 200
vlanctl --if eth2 --rx --tags 1 --filter-vid 200 0 --pop-tag --set-rxif eth2.v200 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v200 --push-tag --set-vid 200 0 --rule-append
ifconfig eth2.v200 up


# Creating VLAN 300 and the Input / Output rules (IoT network)
# Criando a VLAN 300 e as regras de entrada e saída (rede IoT)
vlanctl --mcast --if-create eth2 300
vlanctl --if eth2 --rx --tags 1 --filter-vid 300 0 --pop-tag --set-rxif eth2.v300 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v300 --push-tag --set-vid 300 0 --rule-append
ifconfig eth2.v300 up


# This is a very important step, otherwithse (if keep in ONT mode), the broadcasts received in 1 VLAN will be spread to others and your DHCP will become crazy.
# Este passo é muito importante, para evitar que os broadcasts em uma VLAN sejam divulgados em outras, caso contrário haverá problemas com o DHCP.

vlanctl --if eth2 --set-if-mode-rg

# This command is not in the help page of vlanctl, but I found the tx table is ACCEPT by default, so, I changed to DROP. I think if not rule matches, then the packet will be blocked.
# Este comando não está na página de ajuda do commando vlanctl, mas percebi que a tabela de tx sempre é criada com política ACCEPT por padrão, então alterai para DROP. Acredito que se nenhuma regra bater, o pacote é bloqueado.
vlanctl --if eth2 --tx --tags 0 --default-miss-drop

# Organize the bridges, in my case, I have an additional WiFi 2,4/5Ghz for guests and only one 2,4Ghz for IoT (no need 5Ghz for IoT, at least for me).
# Arruma as bridges (br0 br1 br2), no meu caso tenho uma rede adicionao de 2,4/5Ghz para convidados e apenas uma de 2,4Ghz para IoT (não preciso de 5Ghz para IoT)
brctl stp br0 on
brctl addbr br1
brctl addbr br2
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl addif br0 eth2.v100
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 eth2.v200
brctl addif br2 wl0.2
brctl addif br2 eth2.v300


# Define IPs for new bridges
# Define os IPs para as novas bridges
ifconfig br1 192.168.20.1 netmask 255.255.255.0 up
ifconfig br2 192.168.30.1 netmask 255.255.255.0 up


# Adjust NVRAM config
# Ajusta configs do NVRAM
nvram set lan_ifnames="eth1 eth2.v100 eth3 eth4 eth5 eth6"
nvram set br0_ifnames="eth1 eth2.v100 eth3 eth4 eth5 eth6"
nvram set br1_ifname=br1
nvram set br1_ifnames="eth2.v200 wl0.1 wl1.1"
nvram set lan1_ifname=br1
nvram set lan1_ifnames="eth2.v200 wl0.1 wl1.1"
nvram set br2_ifname=br2
nvram set br2_ifnames="eth2.v300 wl0.2"
nvram set lan2_ifname=br2
nvram set lan2_ifnames="eth2.v300 wl0.2"
nvram set wl0.2_ap_isolate="1"
nvram commit


# eapd restart (when change NVRAM, it's necessary)
# Restart eapd (autenticacao wifi, necessário quando altera a NVRAM)
killall eapd
eapd


# So, the last step, if you want to communicate between LAN interfaces (1 to 4), you must disable HW Switching (this will increase the CPU usage, but my tests showed you can reach 1Gbps with no problem).
# Para funcionar tráfego entre as interfaces físicas (1 a 4), desativar o HW Switching, isto aumentará o uso de CPU, mas de acordo com os meus testes, você consegue atingir 1Gbps sem problemas.
ethswctl -c hw-switching -o disable

EDIT:
this last command is necessary, it will increase the CPU usage, but if you keep the hw-switching enabled, the packats will bypass the system processing and it will work as a normal switch, not a managed one.

EDIT 2: I performed some additional tests, after disable hw-switching, it's possible to create VLAN using "normal" Linux commands, so, it's not necessary to use VLANCTL.
 
Last edited:
Hello,

After read several posts and scripts posted here (and also the one from Chinese site and others related, this Chinese site was the most important to do everything to work) I could make the VLAN working between AC86U and AC68U (both running RMerlin firmware). I tried with a Raspberry Pi 2 running OpenWRT with success.

I have 3 wifi networks:
- Main network (2,4Ghz / 5Ghz)
- Guest network (2,4Ghz / 5Ghz)
- IoT network (2,4Ghz only and AP Isolation enabled)

Each of the networks are configured in different bridges so that I can control the communication using IPTABLES.
The AC68U is in AP mode with the same 3 networks connected to AC86U using only 1 port with tagged VLAN (in this case, the routing and any other feature, like DHCP, DNS are all disabled)
The main purpose here is to explain the configuration on AC86U side, that I'm seeing there is lack of documentation, for AC68U you can find easly how to do and for Raspberry Pi, you can do it like any other Linux system using 5 or 6 commands (ip command can do everything VERY easy).

If you prefer to download the script directly, it's posted here with explanations in Portuguese and English:
https://gist.github.com/lnpbr/db0d8f12aa09b4afc5d578500a484970

#!/bin/sh
# With this script I'm going to use eth2 (physical port 3) to be my
# Trunk port to another router Asus RT-AC68U, so that I can split my
# Wi-Fi networks (Main Network, Guest Network and IoT Network).
# Configure file resolv.conf to make it to use the router itself as DNS Server, instead ONT. It's important if you are using DNSCrypt.

# Configura o arquivo resolv.conf para apontar apenas pra loopback, usando assim o DNSCrypt configurado
echo "nameserver 127.0.0.1" > /tmp/resolv.conf

# Remove the interface eth2 from br0 (to use it as trunk with 802.1Q Tags). This interface can't be inside any bridge.
# Remove a interface eth2 da br0 (para utilizar como Trunk) e cria as VLANs com TAG. Esta interface não pode estar em nenhum bridge
brctl delif br0 eth2

# Creating VLAN 100 and the Input / Output rules (main network)
# Criando a VLAN 100 e as regras de entrada e saída (rede principal)
vlanctl --mcast --if-create eth2 100
vlanctl --if eth2 --rx --tags 1 --filter-vid 100 0 --pop-tag --set-rxif eth2.v100 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v100 --push-tag --set-vid 100 0 --rule-append
ifconfig eth2.v100 up


# Creating VLAN 200 and the Input / Output rules (guest network)
# Criando a VLAN 200 e as regras de entrada e saída (rede de convidados)
vlanctl --mcast --if-create eth2 200
vlanctl --if eth2 --rx --tags 1 --filter-vid 200 0 --pop-tag --set-rxif eth2.v200 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v200 --push-tag --set-vid 200 0 --rule-append
ifconfig eth2.v200 up


# Creating VLAN 300 and the Input / Output rules (IoT network)
# Criando a VLAN 300 e as regras de entrada e saída (rede IoT)
vlanctl --mcast --if-create eth2 300
vlanctl --if eth2 --rx --tags 1 --filter-vid 300 0 --pop-tag --set-rxif eth2.v300 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v300 --push-tag --set-vid 300 0 --rule-append
ifconfig eth2.v300 up


# This is a very important step, otherwithse (if keep in ONT mode), the broadcasts received in 1 VLAN will be spread to others and your DHCP will become crazy.
# Este passo é muito importante, para evitar que os broadcasts em uma VLAN sejam divulgados em outras, caso contrário haverá problemas com o DHCP.

vlanctl --if eth2 --set-if-mode-rg

# This command is not in the help page of vlanctl, but I found the tx table is ACCEPT by default, so, I changed to DROP. I think if not rule matches, then the packet will be blocked.
# Este comando não está na página de ajuda do commando vlanctl, mas percebi que a tabela de tx sempre é criada com política ACCEPT por padrão, então alterai para DROP. Acredito que se nenhuma regra bater, o pacote é bloqueado.
vlanctl --if eth2 --tx --tags 0 --default-miss-drop

# Organize the bridges, in my case, I have an additional WiFi 2,4/5Ghz for guests and only one 2,4Ghz for IoT (no need 5Ghz for IoT, at least for me).
# Arruma as bridges (br0 br1 br2), no meu caso tenho uma rede adicionao de 2,4/5Ghz para convidados e apenas uma de 2,4Ghz para IoT (não preciso de 5Ghz para IoT)
brctl stp br0 on
brctl addbr br1
brctl addbr br2
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl addif br0 eth2.v100
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 eth2.v200
brctl addif br2 wl0.2
brctl addif br2 eth2.v300


# Define IPs for new bridges
# Define os IPs para as novas bridges
ifconfig br1 192.168.20.1 netmask 255.255.255.0 up
ifconfig br2 192.168.30.1 netmask 255.255.255.0 up


# Adjust NVRAM config
# Ajusta configs do NVRAM
nvram set lan_ifnames="eth1 eth2.v100 eth3 eth4 eth5 eth6"
nvram set br0_ifnames="eth1 eth2.v100 eth3 eth4 eth5 eth6"
nvram set br1_ifname=br1
nvram set br1_ifnames="eth2.v200 wl0.1 wl1.1"
nvram set lan1_ifname=br1
nvram set lan1_ifnames="eth2.v200 wl0.1 wl1.1"
nvram set br2_ifname=br2
nvram set br2_ifnames="eth2.v300 wl0.2"
nvram set lan2_ifname=br2
nvram set lan2_ifnames="eth2.v300 wl0.2"
nvram set wl0.2_ap_isolate="1"
nvram commit


# eapd restart (when change NVRAM, it's necessary)
# Restart eapd (autenticacao wifi, necessário quando altera a NVRAM)
killall eapd
eapd


# So, the last step, if you want to communicate between LAN interfaces (1 to 4), you must disable HW Switching (this will increase the CPU usage, but my tests showed you can reach 1Gbps with no problem)
# Para funcionar tráfego entre as interfaces físicas (1 a 4), desativar o HW Switching, isto aumentará o uso de CPU, mas de acordo com os meus testes, você consegue atingir 1Gbps sem problemas.
ethswctl -c hw-switching -o disable
So this creates a trunk port, which is great. Do you have the commands to say, set a VLAN for a wifi interface such as wl0.1? This would need to be an untagged VLAN, I believe?
 
So this creates a trunk port, which is great. Do you have the commands to say, set a VLAN for a wifi interface such as wl0.1? This would need to be an untagged VLAN, I believe?
Hi,

How would be the topology in this case?
Just to separate the WiFi network ?

If so, it’s just a matter to use bridge, at the end, even creating a VLAN it should be inside a bridge.

For example:

I want wired port 1 (eth4) to be in the same network of guest WiFi.

First step is to disable HW switching (the last command of the script in my post, otherwise, at least in my tests, the communication between wired ports will not work).

Then, remove the wl0.1 and eth4 from the current bridge.
#brctl delif br0 wl0.1
#brctl delif br0 eth4

Create a new bridge
#brctl addbr br1

Set IP for new bridge (br1)
#ifconfig br1 192.168.40.1 netmask 255.255.255.0 up

Add the interfaces
#brctl addif br1 eth4
#brctl addif br1 wl0.1

If want to isolate this network from the main network, some few iptables rules between br0 and br1 can do it. Example:

#iptables -I FORWARD -i br0 -o br1 -j DROP
#iptables -I FORWARD -i br1 -o br0 -j DROP
#iptables -I FORWARD -i br1 -o eth0 -j ACCEPT (to allow internet).


With this configuration, no tag will be used, you can connect the eth4 (port 1) in any other switch, even using an external DHCP.

Or, in my case, I’m using the DNSMASQ from the firmware to deliver IP to all different networks.

I’m sorry if I’m not understanding well your doubt. Feel free to explain if I’m wrong.
 
Hello,

After read several posts and scripts posted here (and also the one from Chinese site and others related, this Chinese site was the most important to do everything to work) I could make the VLAN working between AC86U and AC68U (both running RMerlin firmware). I tried with a Raspberry Pi 2 running OpenWRT with success.

I have 3 wifi networks:
- Main network (2,4Ghz / 5Ghz)
- Guest network (2,4Ghz / 5Ghz)
- IoT network (2,4Ghz only and AP Isolation enabled)

Each of the networks are configured in different bridges so that I can control the communication using IPTABLES.
The AC68U is in AP mode with the same 3 networks connected to AC86U using only 1 port with tagged VLAN (in this case, the routing and any other feature, like DHCP, DNS are all disabled)
The main purpose here is to explain the configuration on AC86U side, that I'm seeing there is lack of documentation, for AC68U you can find easly how to do and for Raspberry Pi, you can do it like any other Linux system using 5 or 6 commands (ip command can do everything VERY easy).

If you prefer to download the script directly, it's posted here with explanations in Portuguese and English:
https://gist.github.com/lnpbr/db0d8f12aa09b4afc5d578500a484970

#!/bin/sh
# With this script I'm going to use eth2 (physical port 3) to be my
# Trunk port to another router Asus RT-AC68U, so that I can split my
# Wi-Fi networks (Main Network, Guest Network and IoT Network).
# Configure file resolv.conf to make it to use the router itself as DNS Server, instead ONT. It's important if you are using DNSCrypt.

# Configura o arquivo resolv.conf para apontar apenas pra loopback, usando assim o DNSCrypt configurado
echo "nameserver 127.0.0.1" > /tmp/resolv.conf

# Remove the interface eth2 from br0 (to use it as trunk with 802.1Q Tags). This interface can't be inside any bridge.
# Remove a interface eth2 da br0 (para utilizar como Trunk) e cria as VLANs com TAG. Esta interface não pode estar em nenhum bridge
brctl delif br0 eth2

# Creating VLAN 100 and the Input / Output rules (main network)
# Criando a VLAN 100 e as regras de entrada e saída (rede principal)
vlanctl --mcast --if-create eth2 100
vlanctl --if eth2 --rx --tags 1 --filter-vid 100 0 --pop-tag --set-rxif eth2.v100 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v100 --push-tag --set-vid 100 0 --rule-append
ifconfig eth2.v100 up


# Creating VLAN 200 and the Input / Output rules (guest network)
# Criando a VLAN 200 e as regras de entrada e saída (rede de convidados)
vlanctl --mcast --if-create eth2 200
vlanctl --if eth2 --rx --tags 1 --filter-vid 200 0 --pop-tag --set-rxif eth2.v200 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v200 --push-tag --set-vid 200 0 --rule-append
ifconfig eth2.v200 up


# Creating VLAN 300 and the Input / Output rules (IoT network)
# Criando a VLAN 300 e as regras de entrada e saída (rede IoT)
vlanctl --mcast --if-create eth2 300
vlanctl --if eth2 --rx --tags 1 --filter-vid 300 0 --pop-tag --set-rxif eth2.v300 --rule-append
vlanctl --if eth2 --tx --tags 0 --filter-txif eth2.v300 --push-tag --set-vid 300 0 --rule-append
ifconfig eth2.v300 up


# This is a very important step, otherwithse (if keep in ONT mode), the broadcasts received in 1 VLAN will be spread to others and your DHCP will become crazy.
# Este passo é muito importante, para evitar que os broadcasts em uma VLAN sejam divulgados em outras, caso contrário haverá problemas com o DHCP.

vlanctl --if eth2 --set-if-mode-rg

# This command is not in the help page of vlanctl, but I found the tx table is ACCEPT by default, so, I changed to DROP. I think if not rule matches, then the packet will be blocked.
# Este comando não está na página de ajuda do commando vlanctl, mas percebi que a tabela de tx sempre é criada com política ACCEPT por padrão, então alterai para DROP. Acredito que se nenhuma regra bater, o pacote é bloqueado.
vlanctl --if eth2 --tx --tags 0 --default-miss-drop

# Organize the bridges, in my case, I have an additional WiFi 2,4/5Ghz for guests and only one 2,4Ghz for IoT (no need 5Ghz for IoT, at least for me).
# Arruma as bridges (br0 br1 br2), no meu caso tenho uma rede adicionao de 2,4/5Ghz para convidados e apenas uma de 2,4Ghz para IoT (não preciso de 5Ghz para IoT)
brctl stp br0 on
brctl addbr br1
brctl addbr br2
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl addif br0 eth2.v100
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 eth2.v200
brctl addif br2 wl0.2
brctl addif br2 eth2.v300


# Define IPs for new bridges
# Define os IPs para as novas bridges
ifconfig br1 192.168.20.1 netmask 255.255.255.0 up
ifconfig br2 192.168.30.1 netmask 255.255.255.0 up


# Adjust NVRAM config
# Ajusta configs do NVRAM
nvram set lan_ifnames="eth1 eth2.v100 eth3 eth4 eth5 eth6"
nvram set br0_ifnames="eth1 eth2.v100 eth3 eth4 eth5 eth6"
nvram set br1_ifname=br1
nvram set br1_ifnames="eth2.v200 wl0.1 wl1.1"
nvram set lan1_ifname=br1
nvram set lan1_ifnames="eth2.v200 wl0.1 wl1.1"sd
nvram set br2_ifname=br2
nvram set br2_ifnames="eth2.v300 wl0.2"
nvram set lan2_ifname=br2
nvram set lan2_ifnames="eth2.v300 wl0.2"
nvram set wl0.2_ap_isolate="1"
nvram commit


# eapd restart (when change NVRAM, it's necessary)
# Restart eapd (autenticacao wifi, necessário quando altera a NVRAM)
killall eapd
eapd


# So, the last step, if you want to communicate between LAN interfaces (1 to 4), you must disable HW Switching (this will increase the CPU usage, but my tests showed you can reach 1Gbps with no problem)
# Para funcionar tráfego entre as interfaces físicas (1 a 4), desativar o HW Switching, isto aumentará o uso de CPU, mas de acordo com os meus testes, você consegue atingir 1Gbps sem problemas.
ethswctl -c hw-switching -o disable

Wow that is an amazing work !
Thank you for sharing. Even if I don't understand everything :)
In order to make IPTV and many services of my TV box work, I'm looking for the way to create a VLAN Tagged 100 between the WAN port and one port of the switch of my router (AX88). And of course to keep a regular untagged network on the same port (I have another switch on the TV side)
Could you help me on that ?
 
  • Like
Reactions: ika
Hi,

How would be the topology in this case?
Just to separate the WiFi network ?

If so, it’s just a matter to use bridge, at the end, even creating a VLAN it should be inside a bridge.

For example:

I want wired port 1 (eth4) to be in the same network of guest WiFi.

First step is to disable HW switching (the last command of the script in my post, otherwise, at least in my tests, the communication between wired ports will not work).

Then, remove the wl0.1 and eth4 from the current bridge.
#brctl delif br0 wl0.1
#brctl delif br0 eth4

Create a new bridge
#brctl addbr br1

Set IP for new bridge (br1)
#ifconfig br1 192.168.40.1 netmask 255.255.255.0 up

Add the interfaces
#brctl addif br1 eth4
#brctl addif br1 wl0.1

If want to isolate this network from the main network, some few iptables rules between br0 and br1 can do it. Example:

#iptables -I FORWARD -i br0 -o br1 -j DROP
#iptables -I FORWARD -i br1 -o br0 -j DROP
#iptables -I FORWARD -i br1 -o eth0 -j ACCEPT (to allow internet).


With this configuration, no tag will be used, you can connect the eth4 (port 1) in any other switch, even using an external DHCP.

Or, in my case, I’m using the DNSMASQ from the firmware to deliver IP to all different networks.

I’m sorry if I’m not understanding well your doubt. Feel free to explain if I’m wrong.
this is what yazfi does now (minus bridging). i'm thinking of APs running guest networks, associating a vlan to all guest traffic for an upstream router to firewall appropriately
 
this is what yazfi does now (minus bridging). i'm thinking of APs running guest networks, associating a vlan to all guest traffic for an upstream router to firewall appropriately
So, to do what you want, it’s exactly what I informed.

Just divide into different bridges and associate to a wired port, than you can upstream this wired port to external firewall.

No difference between this and untagged vlan.
But this wired port is intended to be used only for guest network in this case.

If you want to control the guest traffic using external firewall, this external firewall must be the default gateway. It must be set in DHCP server.

Is that what are you planning?
 
Wow that is an amazing work !
Thank you for sharing. Even if I don't understand everything :)
In order to make IPTV and many services of my TV box work, I'm looking for the way to create a VLAN Tagged 100 between the WAN port and one port of the switch of my router (AX88). And of course to keep a regular untagged network on the same port (I have another switch on the TV side)
Could you help me on that ?

I didn't try this configuration, mixing VLAN tagged and untagged in the same port (tagged VLAN and native VLAN).

I think you want something like this:

>> eth1 --- WAN --> communication with tagged vlan 100, no routing, just direct communication keeping VLAN tag, it doesn't matter the traffic direction. Like if eth1 and WAN were wired between them. That means your IPTV box connected to eth1 send the packets already tagged with vlan 100. Right?
>> eth1,2,3,4 --- WAN --> normal communication without any vlan tag and keep routing between eth1,2,3,4 and WAN? (eth1,2,3,4 for clients being routed to internet through wan, using source NAT/MASQUERADE)

Is that what you are trying to do?
 
I didn't try this configuration, mixing VLAN tagged and untagged in the same port (tagged VLAN and native VLAN).

I think you want something like this:

>> eth1 --- WAN --> communication with tagged vlan 100, no routing, just direct communication keeping VLAN tag, it doesn't matter the traffic direction. Like if eth1 and WAN were wired between them. That means your IPTV box connected to eth1 send the packets already tagged with vlan 100. Right?
>> eth1,2,3,4 --- WAN --> normal communication without any vlan tag and keep routing between eth1,2,3,4 and WAN? (eth1,2,3,4 for clients being routed to internet through wan, using source NAT/MASQUERADE)

Is that what you are trying to do?

Thanks for your reply
Yes that is exactly what I'm trying to do !
Is it possible ?
 
Thanks for your reply
Yes that is exactly what I'm trying to do !
Is it possible ?

I have a guess, but absolutely no idea whether or not this work and also I have no way to test.
If you test, please, feedback here for everyone to know about this.
Below, it could be a start point!

# Remove eth1 from br0, from now on, only sub-interfaces will be used
brctl delif br0 eth1

# Create interface eth1.v100 and set vlan 100 tagged flow untouched
vlanctl --if-create eth1 100
vlanctl --if eth1 --rx --tags 1 --filter-vid 100 0 --set-rxif eth1.v100 --rule-append
vlanctl --if eth1 --tx --tags 1 --filter-vid 100 0 --filter-txif eth1.v100 --rule-append
ifconfig eth1.v100 up

# Create interface eth0.v100 and set vlan 100 tagged flow untouched
vlanctl --if-create eth0 100
vlanctl --if eth0 --rx --tags 1 --filter-vid 100 0 --set-rxif eth0.v100 --rule-append
vlanctl --if eth0 --tx --tags 1 --filter-vid 100 0 --filter-txif eth0.v100 --rule-append
ifconfig eth0.v100 up

# Create new bridge br3 and include eth0.v100 and eth1.v100 (the traffic between these interfaces will just keep vlan tag 100, will not include or take it out)
brctl addbr br3
brctl addif br3 eth1.v100
brctl addif br3 eth0.v100
ifconfig br3 up

# Create the new subinterface for eth0 to be the Native VLAN (Untagged)
vlanctl --if-create eth0 0
vlanctl --if eth0 --rx --tags 0 --set-rxif eth0.v0 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v0 --rule-append
ifconfig eth0.v0 up

# Create the new subinterface for eth1 to be the Native VLAN (Untagged)
vlanctl --if-create eth1 0
vlanctl --if eth1 --rx --tags 0 --set-rxif eth1.v0 --rule-append
vlanctl --if eth1 --tx --tags 0 --filter-txif eth1.v0 --rule-append
ifconfig eth1.v0 up

# Add eth1.v0 subinterface (untagged VLAN) into the bridge br0 (where should be all the other LAN interfaces)
brctl addif br0 eth1.v0

# Add bridge br2, this will be the new WAN interface for Internet
brctl addbr br2

# Add eth0.v0 subinterface into the bridge br2
brctl addif br2 eth0.v0

# Remove IP for physical eth0 interface
ip addr del <current ip>/<current mask> dev eth0

# Configure WAN IP (the same that was in eth0)
ifconfig br2 <Router WAN IP> <Router WAN mask> up

All the IP tables rules related to internet must be changed (remember the WAN interface was eth0, but now it's br2).
At least these rules must be set (take care with the rule to avoid expose your network to internet):

iptables -I FORWARD -i br0 -o br2 -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -I POSTROUTING -o br2 -j MASQUERADE

You need to change all the NVRAM interfaces related settings, as well the WAN parameters to match with new br2 interface.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top