maxbraketorque
Very Senior Member
One feature that's been missing from ASUS routers operating in AP mode is that isolated guest networks are not possible. For anyone who is using ASUS routers in a main/AP combo, this script will enable isolation of guest networks on the AP(s). This script is currently setup for an RT-AC86U, but it is adaptable to other models by determining the correct ethernet interfaces on the particular router and applying those names to this script. This is a very simple script with no command line or GUI interface. Features have to be enabled/disabled using hash tags. Improvements to the script are welcomed.
Code:
#!/bin/sh
#
# Script to create isolated guest networks on ASUS routers in AP mode for 386.x and 388.x firmware.
# This script is a modified version of a script originally created by Jimmy-Z and firstly modified by Eric Lieb.
# The original script by Jimmy-Z is here: https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
# Eric Lieb's version of the Jimmy-Z script is here: https://www.snbforums.com/threads/ac86u-vlan-tagging-with-merlinwrt.84508/
#
# This script dovetails with the 386.x and 388.x firmware guest network on the main router
# to create isolated guest networks on APs. This only works with Guest Network #1 on the main and AP router.
#
# Basic information about the VLANs that will be implemented:
# 1. This script requires Merlin firmware.
# 2. Newer 386.x and 388.x firmwares implentent a VLAN for Guest Network #1 when a router is in router mode.
# 3. Aimesh routers hook to this VLAN for their guest network, but AP routers do not do this.
# 4. This script will implement a VLAN on an AP router that will hook to the guest VLAN on the main router.
# 5. These guest networks on the AP will be isolated from the regular clients on the AP.
# 6. VLAN 501 gets assigned to the 2.4G channel range on Guest Network #1 of the main router.
# 7. VLAN 502 gets assigned to the 5G channel range on Guest Network #1 of the main router.
# 8. These VLANs will be isolated from each other.
# 9. Guest Network #1 on the main router and AP must be enabled per instructions below.
#
# Instructions for ASUS Main Router GUI Setup:
# 1. Create guest networks on the main router.
# a. This only works for Guest Network #1.
# b. Create either a 2.4G or 5G, or both.
# c. Set "Access Intranet" to "Disable".
#
# Instructions for ASUS AP Router GUI Setup:
# 1. Create guest networks.
# a. These should be created on Guest Network #1.
# b. Create the same guest networks that were created on the main router.
# c. There will be no option for guest network isolation in the GUI. That's ok.
# 2. In the Administration/System page of the AP GUI, enable "JFFS custom scripts and configs".
# 3. Review and adjust this script for your desired guest network configuration.
# a. Copy this script to a text file on your computer.
# b. This script comes with all features enabled. Review the script and add hashtags to disable unwanted features.
# 4. Copy this script into the file /jffs/scripts/services-start on the AP.
# a. Create the file if it does not exist.
# b. If the file already exists, there may already be entries in the file. Paste this script after those entries.
# c. It may be necessary to apply `chmod a+x services-start` on the command line after dropping the script into the file.
# 5. It is strongly suggested to associate the AP with a static IP instead of DHCP.
# 6. Reboot the AP.
# 7. Guest Network #1 on the AP will now be isolated.
#
# Here is some basic info about the interfaces of an RT-AC86U in AP mode:
# eth0 => WAN port
# eth1~4 => LAN port 4~1, they're numerically reversed
# eth5 => Main Network WiFi 2.4G
# eth6 => Main Network WiFi 5G
# wl0.1 through wl0.3 => WiFi 2.4G guest networks 1 thru 3
# wl1.1 through wl1.3 => WiFi 5G guest networks 1 thru 3
# Start of script commands to create isolated guest network on ASUS router AP.
# Commands to log AP VLAN config prior to running the script. Add hashtags in front of commands if no logging desired.
echo "=== START display of AP VLAN config PRIOR TO creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log
echo "--- ip a ---" >> /jffs/APGuestNetVLAN.log
ip a >> /jffs/APGuestNetVLAN.log
echo "--- ip r ---" >> /jffs/APGuestNetVLAN.log
ip r >> /jffs/APGuestNetVLAN.log
echo "--- brctl show ---" >> /jffs/APGuestNetVLAN.log
brctl show >> /jffs/APGuestNetVLAN.log
echo "=== END display of AP VLAN config PRIOR TO creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log
# End logging of initial VLAN config.
# Create 2.4G Guest Network #1 on the AP. Add hashtags in front of commands if no 2.4 GHz guest network desired.
# Create VLAN 501 and link to eth0 (WAN port),
ip link add link eth0 name eth0.501 type vlan id 501
ip link set eth0.501 up
# Remove wl0.1 interface from br0.
brctl delif br0 wl0.1
# Set up br1, and then link VLAN 501 and wl0.1 (2.4G Guest Network #1) to br1.
brctl addbr br1
brctl addif br1 eth0.501
brctl addif br1 wl0.1
ip link set br1 up
# Create names in nvram.
nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan1_ifname="br1"
nvram set br1_ifnames="wl0.1 eth0.501"
nvram set br1_ifname="br1"
# End setup of 2.4G Guest Network #1 on the AP.
# Create 5G Guest Network #1 on the AP. Add hashtags in front of commands if no 5 GHz guest network desired.
# Create VLAN 502 and link to eth0 (WAN port),
ip link add link eth0 name eth0.502 type vlan id 502
ip link set eth0.502 up
# Remove wl1.1 interface from br0.
brctl delif br0 wl1.1
# Create br2, then link VLAN 502 and wl1.1 (5G Guest Network #1) to br2.
brctl addbr br2
brctl addif br2 eth0.502
brctl addif br2 wl1.1
ip link set br2 up
# Create names in nvram.
nvram set lan2_ifnames="wl1.1 eth0.502"
nvram set lan2_ifname="br2"
nvram set br2_ifnames="wl1.1 eth0.502"
nvram set br2_ifname="br2"
# End setup of 5G Guest Network #1 on the AP.
# eapd reads config from these.
# No need to set lan_ifname since it's already there.
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"
# Restart eapd.
killall eapd
eapd
# Commands to log AP VLAN config after enabling guest nework VLAN(s). Add hashtags in front of commands if no logging desired.
echo "=== START display of AP VLAN config AFTER creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log
echo "--- ip a ---" >> /jffs/APGuestNetVLAN.log
ip a >> /jffs/APGuestNetVLAN.log
echo "--- ip r ---" >> /jffs/APGuestNetVLAN.log
ip r >> /jffs/APGuestNetVLAN.log
echo "--- brctl show ---" >> /jffs/APGuestNetVLAN.log
brctl show >> /jffs/APGuestNetVLAN.log
echo "=== END display of AP VLAN config AFTER creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log
# End logging of VLAN config after setting up isolated guest network APs.
# End of AP Isolated Guest Network VLAN Setup script.
#
Last edited: