RT-AC66U - Script for separate VLANS and Subnets with DHCP

[munator]

I need the know-how from other guys to solve my problem

After a couple of days of research, I don’t get it working. I'm desperately looking for some help to make it work.

Current Hardware: ASUS RT-AC66U
FW Version: 380.58_0
Current Network Setup: 1 port WAN; 4 port LAN with WIFI and a Guest WIFI 2.5 GHz; all setup via GUI, WAN Connection Type PPPoE
Current Scripts: See below
Goal: To have one separate VLAN/Subnet on one of the router ports with access to the internet. The network could be static. DHCP on this subnet is nice to have. To connect a mail/file-server to the chosen port.
Future Plans: To separate also the house control server at another port.
Retrieved Hardware Info via CLI (MAC's and IP's were changed to protect the innocent:

Start configuration:

# nvram show | grep vlan1
lan_ifnames=vlan1 eth1 eth2 wl0.1
vlan1hwname=et0
vlan1ports=1 2 3 4 8*
landevs=vlan1 wl0 wl1

# nvram show | grep vlan2
vlan2ports=0 8u
vlan2hwname=et0

# robocfg show
Switch: enabled gigabit
Port 0: 100FD enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:01
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:02
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:03
Port 3: 100FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:04
Port 4: 10HD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:05
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:06
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8u

# brctl show
Bridge name bridge id STP enabled interfaces
br0 8000.f07959d066c8 yes vlan1
eth1
eth2
wl0.1

-----------------------------------------------MY PAGE BREAK---------------------------------------------------------

After I have configured the standard GUI settings, I have implemented the script.

Target: /jffs/scripts/
File name: services-start
File content:

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

## Remove port 2 from VLAN1
robocfg vlan 1 ports "1 3 4 8t"

## Create VLAN6 and add port 2
robocfg vlan 6 ports "2 8t"

## give vlans wan access
vconfig add et0 6

## activate vlans
ifconfig vlan6 up

## create bridge
brctl addbr br6

## add lan to bridge
brctl addif br6 vlan6

## assign ip addresses to bridge and activate them
ifconfig br6 192.168.2.1 netmask 255.255.255.0
ifconfig br6 up

## set interface groups/names into nvram
nvram set vlan1ports=”1 3 4 8*”
nvram set vlan6ports=”2 8*”
nvram set vlan6hwname=”et0”
nvram set lan6_ifnames="vlan6"
nvram set lan6_ifname="br6"

nvram commit
killall eapd
eapd


Also, they need to have proper permissions, set them with:

chmod a+rx /jffs/scripts/*

-----------------------------------------------MY PAGE BREAK---------------------------------------------------------

Configuration after restart:

# nvram show | grep vlan1
lan_ifnames=vlan1 eth1 eth2 wl0.1
vlan1hwname=et0
vlan1ports=1 3 4 8*
landevs=vlan1 wl0 wl1

# nvram show | grep vlan2
vlan2ports=0 8u
vlan2hwname=et0

# nvram show | grep vlan6
vlan6ports=2 8*
vlan6hwname=et0
lan6_ifnames=vlan6

# robocfg show
Switch: enabled gigabit
Port 0: 100FD enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:01
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:02
Port 2: DOWN enabled stp: none vlan: 6 jumbo: off mac: 00:00:00:00:00:03
Port 3: 100FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:04
Port 4: 10HD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:05
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:06
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 1 3 4 8t
2: vlan2: 0 8u
6: vlan6: 2 8t

# brctl show

Bridge name bridge id STP enabled interfaces
br0 8000.f07959d066c8 yes vlan1
eth1
eth2
wl0.1
br6 8000.f07959d066c8 no vlan6

-----------------------------------------------MY PAGE BREAK---------------------------------------------------------

Then I have configured the fix ip address (192.168.2.100) on the notebook and I get a connection error in windows. The port is up and I see traffic on wireshark. I can’t ping the gateway 192.168.2.1. The interface receives the ping but doesn’t answer.

If I connect the notebook via eth1, eth2 or vlan1 I can ping 192.168.2.1. The configuration except port 2 works as with the standard configuration.

 

[wiz]

I don't see any iptables config here. Aren't you just running into a firewall issue? Also in your robocfg show statement it shows port2 Down. That should show 100FD or 1000FD instead of down. what does ifconfig vlan6 show?

 

[munator]

hi wiz,

on my notebook I have only one lan-port. If I connect my notebook to port 3 and I send robocfg show, port 2 is open. If I connect another device, it would be up.

I thought the vlan6 would use the same firewall as the vlan1. The firewall is normally on the wan interface and internally I should reach the other networks without any change of the firewall.

I can’t ping the ip address, when the notebook is connected to the port 2. This should work without any configuration of the firewall.

Do you have any command to switch of the firewall for this vlan?

BR

 

[martin3dsc]

## give vlans wan access
vconfig add et0 6
vconfig: ioctl error for add: Invalid argument
vconfig add eth0 6 gives no error.
What is mis withe my router what i'm doing wrong?
Firmware:380.62_1 rt-ac66u

 

[Jacques Assert]

RT-AC66U, factory reset after 380.63 installation.

Traditional QoS upload/download bandwidth not working.
It appears to clamp both upload and download to the lower value.
[This also appears to occur with earlier versions.]

Speedtest shows 65/11 when QoS off.
When Traditional Qos enabled:
upload:10, download: 60, speedtest.net: 10/10
upload:60, download: 10, speedtest.net: 10/10
upload:30, download: 60, speedtest.net: 30/11
upload:60, download: 30, speedtest.net: 30/11
upload:60, download: 60, speedtest.net: 59/11

Download never exceeds the lesser of the upload/download bandwidth settings.

In contrast, Bandwidth Limiter using a MAC address operates correctly.

Also, the Qos Statistics page only shows Upload.

 

[L&LD]

RT-AC66U, factory reset after 380.63 installation.

Traditional QoS upload/download bandwidth not working.
It appears to clamp both upload and download to the lower value.

Speedtest shows 65/11 when QoS off.
When Traditional Qos enabled:
upload:10, download: 60, speedtest.net: 10/10
upload:60, download: 10, speedtest.net: 10/10
upload:30, download: 60, speedtest.net: 30/11
upload:60, download: 30, speedtest.net: 30/11
upload:60, download: 60, speedtest.net: 59/11

Download never exceeds the lesser of the upload/download bandwidth settings.

In contrast, Bandwidth Limiter using a MAC address operates correctly.

Also, the Qos Statistics page only shows Upload.

Known issue (for some).

Try Adaptive QoS instead.

 

[RMerlin]

Also, the Qos Statistics page only shows Upload.

This is normal, Traditional QoS can only classify outbound traffic.

 

[Jacques Assert]

Try Adaptive QoS instead.

Unfortunately, Adaptive QoS is not available on the RT-AC66U.

 

[Jacques Assert]

Traditional QoS can only classify outbound traffic.

Any comment on the Bandwidth clamping to the lower limit?
Is this also normal? Unexpected? Or no opinion?

Also, the comment says that 0 (zero) means no limit but you can't actually enter 0 (zero).

 

[RMerlin]

Any comment on the Bandwidth clamping to the lower limit?
Is this also normal? Unexpected? Or no opinion?

Also, the comment says that 0 (zero) means no limit but you can't actually enter 0 (zero).

Normally, the clamping should only occur if there's another data stream going on with a higher priority. This was working properly the last time I tested it, which was a few years ago.

I've since given up on traditional QoS however since it's currently half broken for multiple models, and never really worked that well from the beginning, in large part due to its lack of inbound control. People are also reporting contradicting results, for some it works fine, while others report it doesn't work at all.

People needing highly configurable QoS will get better results from Tomato, since it's able to control both inbound and outbound traffic, and it's known to work well.

 

[Jacques Assert]

People needing highly configurable QoS will get better results from Tomato, since it's able to control both inbound and outbound traffic, and it's known to work well.

Thank you for the suggestion. I bit the bullet and installed Tomato Shibby. The QoS support is excellent.

There are other configuration caveats that make me sad to leave, but no argument with the QoS support.

Feature request: Config file in text format so that settings can be matched easily across versions. I support a script to set items would be close, but I'd like to compare all default settings with current settings and have a list of all changes.

 

[RMerlin]

Feature request: Config file in text format so that settings can be matched easily across versions.

nvram show | sort > /mnt/sda1/settings.txt

 

[Jacques Assert]

nvram show | sort > /mnt/sda1/settings.txt

Je vous remercie.

 

[Jacques Assert]

People needing highly configurable QoS will get better results from Tomato, since it's able to control both inbound and outbound traffic, and it's known to work well.

So I tried Tomato Shibby (various releases) on an RT-AC66U with great success on the QoS but brittle 5GHz wireless. It starts locked to 20MHz. Finally got 80MHz by using Australia as regulatory country but that matches Canada so the difference is not clear.

But the QoS works well.

When can we get fq_codel on Merlin?

And does anyone know the best forum to discuss Tomato issues?

 

[RMerlin]

When can we get fq_codel on Merlin?

It's been in it for over 6 months now.

 

[Jacques Assert]

Thank you for the confirmation. That was what dslreports speedtest suggested but all the posts I found discussed why it needed newer kernels in portions that were Broadcom controlled.

 

[mikecpt]

I'm trying a similar setup as the 1st post, but trying to get DHCP to work, I've added the dnsmasq config (note that I use vlan3 and br3 instead of 6)

## Seperate dhcp subnet
interface=br3
dhcp-range=br3,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=br3,3,192.168.1.1
dhcp-option=br3,6,192.168.1.1
dhcp-option=br3,15,local

log-facility=/tmp/dnsmasq.log
log-dhcp

I do see this in the log so its seems to have worked

Aug 10 13:59:57 dnsmasq-dhcp[6997]: DHCP, IP range 192.168.1.1 -- 192.168.1.253, lease time 1d

I have a second AP with the vlan setup but it doesn't seems to be able to find this dhcp server.
I even set it up with vlan1 on ports 1 2 3 and vlan 3 on port 4, I get main DHCP pool working on the first ports but not the the other one.

I was thinking this could be firewall but I also issued :

iptables -I INPUT -i br3 -j ACCEPT
iptables -I FORWARD -i br3 -j ACCEPT

And that doesn't seem to help... when I tail the dnsmasq log I never see DHCP request for 192.168.1.X (my primary subnet is 172.16.50.0/24 )

Any ideas?

 

[mikecpt]

I think I just found the problem... the device I was testing had a static address set by MAC address.

Sorry for the noise.