Setting up VLANs on AC68P

[Roy360360]

Hey all,
I use my AC68P as an AP, and I'm trying to get VLAN tagging working on it. I've had some success but I think I need some help to complete this.

I want router to have the following VLANs:

VLAN	Physical Ports	Wireless
1 (Default)	WAN, LAN1, LAN2, LAN3	2.4G / 5G
20		2.4G / 5G
30	LAN4	2.4G
60		2.4G

I can collapse the number of VLANs if it's recommended.

pfsense is handling the DCHP server for all the VLANs. A Csico switch sits inbetween pfsense and the ASUS router.

Success so far:

I was able to tag port 4 to VLAN 30 and successfully got an IP from pfsense.

# Remove Port 4 from Default LAN
robocfg vlan 1 ports "0 1 2 3 5t"
# Add Port 4 to VLAN30
robocfg vlan 30 ports "0t 4 5t"

Problems:

(1) I wanted the robocfg to persist after a reboot so I created the following script:

#!/bin/sh

# multi SSID with VLAN script for AC68P
# Trunk Port : WAN
# Ports 1 - 3: LAN (Untagged)
# Ports 4    : VLAN30
# Guest WiFi:
#         wl0.1 - ASUS [Guest]    : VLAN20
#         wl0.2 - ASUS [IOT]      : VLAN30
#         wl0.3 - ASUS [Guest 2]   : VLAN60
#         wl1.1 - ASUS_5G [Guest] : VLAN20
sleep 10

robocfg vlan 1 ports "0 1 2 3 5t"
robocfg vlan 20 ports "0t 5t"
robocfg vlan 30 ports "0t 4 5t"
robocfg vlan 60 ports "0t 5t"

touch /tmp/000services-started

However the script never runs. 000services-started is never created.
I can execute the script manually with ./service-start.sh, so I don't think it's a syntax issue.
I set permissions through winscp (0755) and my router has ' Enable JFFS custom scripts and configs ' checked.

EDIT: Fixed thanks to @ColinTaylor. I didn't realize you couldn't have .sh in the script names

(2) I never managed to get Wifi working. I can setup the bridges with the code below, but not sure where to proceed from there. Only the default WiFi works.

#!/bin/sh

# multi SSID with VLAN script for AC68P
# Trunk Port : WAN
# Ports 1 - 3: LAN (Untagged)
# Ports 4    : VLAN30
# Guest WiFi:
#         wl0.1 - ASUS [Guest]    : VLAN20
#         wl0.2 - ASUS [IOT]      : VLAN30
#         wl0.3 - ASUS [Guest 2]    : VLAN60
#         wl1.1 - ASUS_5G [Guest] : VLAN20

#        eth0 - LAN
#        eth1 - 2.4G Wifi
#        eth2 - 5G Wifi

#VLAN Setup
robocfg vlan 1 ports "0 1 2 3 5t"
robocfg vlan 20 ports "0t 5t"
robocfg vlan 30 ports "0t 4 5t"
robocfg vlan 60 ports "0t 5t"

vconfig add eth0 20
vconfig add eth0 30
vconfig add eth0 60

ifconfig vlan20 up
ifconfig vlan30 up
ifconfig vlan60 up


# Remove Guest Networks from VLAN1
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl0.3
brctl delif br0 wl1.1


# Guest WiFi
brctl addbr br1
brctl addif br1 vlan20
brctl addif br1 wl0.1
brctl addif br1 wl1.1

ifconfig br1 192.168.20.3 netmask 255.255.255.0
ifconfig br1 up

# IoT WiFi
brctl addbr br2
brctl addif br2 vlan30
brctl addif br2 wl0.2

ifconfig br2 192.168.30.3 netmask 255.255.255.0
ifconfig br2 up

# Xiaomi WiFi
brctl addbr br3
brctl addif br3 vlan60
brctl addif br3 wl0.3

ifconfig br3 192.168.60.3 netmask 255.255.255.0
ifconfig br3 up


nvram set lan_ifnames="vlan1 eth1 eth2" # not sure what this line is for....

nvram set lan1_ifnames="vlan20 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="vlan30 wl0.2"
nvram set lan2_ifname="br2"

nvram set lan3_ifnames="vlan60 wl0.3"
nvram set lan3_ifname="br3"

killall eapd
eapd

Resources I used:

SSID to VLAN

Hello! Model: Asus RT-AC56U Firmware: 378.53 (AsusWRT-Merlin) Some default configs: lanports=0 1 2 3 wanports=4 landevs=vlan1 wl0 wl1 vlan1hwname=et0 vlan1ports=0 1 2 3 5* vlan2hwname=et0 vlan2ports=4 5u I'm trying to build a professional home network =D (to learn) I'm new to AsusWRT, Merlin...

www.snbforums.com

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

multi SSID with VLAN script, for ASUS AC86U with merlin

multi SSID with VLAN script, for ASUS AC86U with merlin - services-start.sh

gist.github.com

 

[ColinTaylor]

The script should be called "services-start" not "service-start.sh".

 

[Roy360360]

The script should be called "services-start" not "service-start.sh".

Thanks.
I just copied the filename that was on the github link (the missing s was a typo I made in the thread). Did not realize the .sh was missing things up. The LAN tagging is working now.

 

[Roy360360]

Spoiler: robocfg show vlan

   1: vlan1: 0 1 2 3 5t
   2: vlan2: 5t
  20: vlan20: 0t 5t
  30: vlan30: 0t 4 5t
  60: vlan60: 0t 5t
1045: vlan1045: 3 7t 8t
1046: vlan1046: 0 1 5t 7t
1047: vlan1047: 0t 1 4 5t 7t 8u
1099: vlan1099: 1 2t 3 4t 8u
1100: vlan1100: 0 1 2 3 5 7
1101: vlan1101: 0 1 4 5
1102: vlan1102: 3 5 8u
1103: vlan1103: 0t 1 2 4 7

Spoiler: brctl show

bridge name     bridge id               STP enabled     interfaces
br0             8000.382c4ae3f5f0       no              vlan1
                                                        eth1
                                                        eth2
br1             8000.382c4ae3f5f0       no              vlan20
                                                        wl0.1
                                                        wl1.1
br2             8000.382c4ae3f5f0       no              vlan30
                                                        wl0.2
br3             8000.382c4ae3f5f0       no              vlan60
                                                        wl0.3

Spoiler: ifconfig -a

br0       Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F0
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:1631 errors:0 dropped:0 overruns:0 frame:0
          TX packets:807 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:295414 (288.4 KiB)  TX bytes:70788 (69.1 KiB)

br1       Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F0
          inet addr:192.168.20.3  Bcast:192.168.20.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3122 (3.0 KiB)  TX bytes:1232 (1.2 KiB)

br2       Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F0
          inet addr:192.168.30.3  Bcast:192.168.30.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:55 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2750 (2.6 KiB)  TX bytes:1232 (1.2 KiB)

br3       Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F0
          inet addr:192.168.60.3  Bcast:192.168.60.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:55 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2750 (2.6 KiB)  TX bytes:1232 (1.2 KiB)

dpsta     Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1606 errors:0 dropped:0 overruns:0 frame:0
          TX packets:882 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:302414 (295.3 KiB)  TX bytes:86957 (84.9 KiB)
          Interrupt:179 Base address:0x4000

eth1      Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:55
          TX packets:0 errors:1 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:163

eth2      Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F4
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:61 errors:0 dropped:0 overruns:0 frame:26
          TX packets:933 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9871 (9.6 KiB)  TX bytes:137215 (133.9 KiB)
          Interrupt:169

ifb0      Link encap:Ethernet  HWaddr EA:C6:EB:FF:78:D1
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ifb1      Link encap:Ethernet  HWaddr 0A:A4:E9:18:06:85
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:376 errors:0 dropped:0 overruns:0 frame:0
          TX packets:376 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:90456 (88.3 KiB)  TX bytes:90456 (88.3 KiB)

lo:0      Link encap:Local Loopback
          inet addr:127.0.1.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1

vlan1     Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:1410 errors:0 dropped:0 overruns:0 frame:0
          TX packets:881 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:261503 (255.3 KiB)  TX bytes:86933 (84.8 KiB)

vlan2     Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F0
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vlan20    Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:62 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3348 (3.2 KiB)  TX bytes:24 (24.0 B)

vlan30    Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:63 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3404 (3.3 KiB)  TX bytes:0 (0.0 B)

vlan60    Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:62 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3348 (3.2 KiB)  TX bytes:0 (0.0 B)

wl0.1     Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F1
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:55
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl0.2     Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F2
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:55
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl0.3     Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F3
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:55
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl1.1     Link encap:Ethernet  HWaddr 38:2C:4A:E3:F5:F5
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:26
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 

[Roy360360]

Looks like I had some small mistakes in my script. The following works for me. I've updated the OP.

I haven't tested whether wireless clients are isolated, but at the very least something on ASUS [Guest] can't connect to someone on VLAN1 (untagged). DCHP server is working as intended too.

Will test over the next few days to see if the router is still working.

#!/bin/sh

# multi SSID with VLAN script for AC68P
# Trunk Port : WAN
# Ports 1 - 3: LAN (Untagged)
# Ports 4    : VLAN30
# Guest WiFi:
#         wl0.1 - ASUS [Guest]    : VLAN20
#         wl0.2 - ASUS [IOT]      : VLAN30
#         wl0.3 - ASUS [Guest 2]    : VLAN60
#         wl1.1 - ASUS_5G [Guest] : VLAN20

#        eth0 - LAN
#        eth1 - 2.4G Wifi
#        eth2 - 5G Wifi

#VLAN Setup
robocfg vlan 1 ports "0 1 2 3 5t"
robocfg vlan 20 ports "0t 5t"
robocfg vlan 30 ports "0t 4 5t"
robocfg vlan 60 ports "0t 5t"

vconfig add eth0 20
vconfig add eth0 30
vconfig add eth0 60

ifconfig vlan20 up
ifconfig vlan30 up
ifconfig vlan60 up


# Remove Guest Networks from VLAN1
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl0.3
brctl delif br0 wl1.1


# Guest WiFi
brctl addbr br1
brctl addif br1 vlan20
brctl addif br1 wl0.1
brctl addif br1 wl1.1

ifconfig br1 192.168.20.3 netmask 255.255.255.0
ifconfig br1 up

# IoT WiFi
brctl addbr br2
brctl addif br2 vlan30
brctl addif br2 wl0.2

ifconfig br2 192.168.30.3 netmask 255.255.255.0
ifconfig br2 up

# Xiaomi WiFi
brctl addbr br3
brctl addif br3 vlan60
brctl addif br3 wl0.3

ifconfig br3 192.168.60.3 netmask 255.255.255.0
ifconfig br3 up


nvram set lan_ifnames="vlan1 eth1 eth2" # not sure what this line is for....

nvram set lan1_ifnames="vlan20 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="vlan30 wl0.2"
nvram set lan2_ifname="br2"

nvram set lan3_ifnames="vlan60 wl0.3"
nvram set lan3_ifname="br3"

killall eapd
eapd

Next step is to port this script to my AC66U.


Looks like it was a mistake to buy a managed switch.
Could have just these routers instead and saved myself 60$

 

[L&LD]

No worries! Consider the small $60 the cost of this 'education'.

 

[L&LD]

Please don't cross post.

See my answer in your other thread.