RT-AX88U : Guest and IoT Network VLAN

[Soul_]

What I am trying to do is:

1. Use my bond0(which is composed of eth3 and eth4) to retain the untagged VLAN1, but tag VLAN2000 and VLAN3100 in addition to it, which are hosted (including their routing interface and DHCP server) on a Fortinet connected on the other side of this bond0.
2. Use VLAN2000 to host my guest network SSID
3. Use VLAN3100 to host my IoT network SSID
4. Use AP Isolated mode on the entire guest SSID across 2.4GHz and 5GHz
5. Use AP Isolated mode on the entire IoT SSID across 2.4GHz and 5GHz

Using the info in some of the thread already posted for other routers, and combining them with my needs, my script so far is as below, and it is no where complete. So, I look for guidance and help.

#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#/sbin/ifconfig >> /jffs/scripts/log
#nvram show | grep vlan >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log

# echo $PATH > /tmp/script_debug

# remove any port which will be reconfigured as a tagged port

# remove interfaces we're gonna move to other bridges
brctl delif br0 bond0
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl1.1
brctl delif br0 wl1.2

# Creating VLAN 2000 and the Input / Output rules (main network)
vlanctl --mcast --if-create bond0 2000
vlanctl --if bond0 --rx --tags 1 --filter-vid 2000 0 --pop-tag --set-rxif bond0.v2000 --rule-append
vlanctl --if bond0 --tx --tags 0 --filter-txif bond0.v2000 --push-tag --set-vid 2000 0 --rule-append
ifconfig bond0.v2000 up

# Creating VLAN 3100 and the Input / Output rules (main network)
vlanctl --mcast --if-create bond0 3100
vlanctl --if bond0 --rx --tags 1 --filter-vid 3100 0 --pop-tag --set-rxif bond0.v3100 --rule-append
vlanctl --if bond0 --tx --tags 0 --filter-txif bond0.v3100 --push-tag --set-vid 3100 0 --rule-append
ifconfig bond0.v3100 up

# This is a very important step, otherwitse (if keep in ONT mode), the broadcasts received in 1 VLAN will be spread to others and your DHCP will become crazy.
vlanctl --if bond0 --set-if-mode-rg

# Organize the bridges
brctl stp br0 on
brctl addbr br1
brctl addbr br2
brctl addif br1 bond0.v2000
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 bond0.v3100
brctl addif br2 wl0.2
brctl addif br2 wl1.2
brctl addif br0 bond0

# Adjust NVRAM config
nvram set br1_ifname=br1
nvram set br1_ifnames="bond0.v2000 wl0.1 wl1.1"
nvram set lan1_ifname=br1
nvram set lan1_ifnames="bond0.v2000 wl0.1 wl1.1"
nvram set br2_ifname=br2
nvram set br2_ifnames="bond0.v3100 wl0.2 wl1.2"
nvram set lan2_ifname=br2
nvram set lan2_ifnames="bond0.v3100 wl0.2 wl1.2"

wl -i wl0.1 ap_isolate 1
wl -i wl0.2 ap_isolate 1
wl -i wl1.1 ap_isolate 1
wl -i wl1.2 ap_isolate 1

# eapd restart (when change NVRAM, it's necessary)
killall eapd
eapd

#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#/sbin/ifconfig >> /jffs/scripts/log
#nvram show | grep vlan >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log

 

[Soul_]

Bump?

 

[sfx2000]

You probably don't need to write to nvram every time the script runs...

sighup to reload eapd maybe

avoid unneeded writes to jffs

this script will burn the nand at some point.

FWIW - I'm not working on AsusWRT these days, but still active in development - with a 64/16 (and that 16 is NOR flash), I've become very flash write adverse - only writing persistent info in to flash...

 

[Soul_]

That is a very important note. Thank you. I really didn't realize the write degradation.

Is there any adverse effect of skipping those "nvram set" lines?

Additionally, I realized that my "AP Isolate" lines only work for the SSID if the devices connect on the same frequency. So, if one device connects go wl0.2 and another to wl1.2, they can communicate to each other. Anyway to stop this?

On Cisco APs it was easy. Add same bridge group to both channels and enable port security on the bridge group, and done. I don't know if it is possible to create cross radio bridge group on WRT and set an AP Isolate on it.

 

[amplatfus]

Hi,

Please take a look. Maybe it helps.
LAN port isolation (port-based VLAN) on ASUS RT-AX88U with Asuswrt-Merlin 384.16
https://wu.renjie.im/blog/network/ax88u-vlan/

Good luck!

 

[amplatfus]

Or maybe you already solved, anyway please share here if you would like.
Thank you!

 

[jiveman]

I finally got my own VLAN setup working thanks to many contributors and starting points like @Soul_ . While I really enjoyed the excellent blog post by Renjie, it didn't fit my need specifically, nor was I able to adapt what he did to what I needed to do. I wanted both untagged traffic to flow directly through the standard ethernet ports, but if configured, tagged traffic as well. I assigned one guest network to each guest network to dedicate them to my IOT/Cameras etc.. See here: https://www.snbforums.com/threads/has-anyone-successfully-create-a-vlan.83291/post-917049