SSID to VLAN

[Wisiwyg]

I have done the Merlin config as found everywhere on this forum, b0ut I have the strange behaviour of seeing the vlan traffic on the parent interface and intermitent internet on vlans. Is that Xwrt fault or it's pfSense fault?
I'm using the parent interface as the LAN interface, is this ok?

I'm guessing that if you've already set up the Asus per the instructions in this thread that the Asus is working. In that case it must be the router/FW. Checking, your Asus is running as AP and your pfSense is the main router serving DHCP? You should look for how-tos for pfSense on how to take vlan traffic on Opt1 input and route it out. That's what I'll be doing.I had a quick look in the past and there seems to be instructions out there, but haven't made a big effort at it. But, I'll behaving guests in for the Christmas holiday that I'll want to give inet to, but not open up my lan. So looking at this again.

To keep it simiple, I'm going to have my AC68U broadcast a Guest ID, output Guest vlan on Lan4 and connect Lan4 to the Opt1 interface on the OpnSense box. That will take out the complexity of setting up vlans in a switch. Guest will only be available via Wifi.

 

[Pablo]

I'm guessing that if you've already set up the Asus per the instructions in this thread that the Asus is working. In that case it must be the router/FW. Checking, your Asus is running as AP and your pfSense is the main router serving DHCP?

Yes to both.

You should look for how-tos for pfSense on how to take vlan traffic on Opt1 input and route it out.

Hmmm, the VLANs parent interface is the LAN interface, not OPT1.

That's what I'll be doing.I had a quick look in the past and there seems to be instructions out there, but haven't made a big effort at it. But, I'll behaving guests in for the Christmas holiday that I'll want to give inet to, but not open up my lan. So looking at this again.

To keep it simiple, I'm going to have my AC68U broadcast a Guest ID, output Guest vlan on Lan4 and connect Lan4 to the Opt1 interface on the OpnSense box. That will take out the complexity of setting up vlans in a switch. Guest will only be available via Wifi.

My setup is working with all my VLANs on the LAN interface (as parent interface) but I also use the LAN as my private LAN, but as I mentioned sometimes I saw VLAN traffic on the LAN and internet works on my VLANs but intermittently.

 

[Wisiwyg]

Yes to both.



Hmmm, the VLANs parent interface is the LAN interface, not OPT1.



My setup is working with all my VLANs on the LAN interface (as parent interface) but I also use the LAN as my private LAN, but as I mentioned sometimes I saw VLAN traffic on the LAN and internet works on my VLANs but intermittently.

Ok. Your approach is different from mine.

 

[Pablo]

Ok. Your approach is different from mine.

Hmm, so I guess you have an interface only for vlans and the paren interfaces is unused?

 

[Wisiwyg]

Hmm, so I guess you have an interface only for vlans and the paren interfaces is unused?

Nope. LAN is where my LAN comes in. OPT1 will be where Guest comes in. I'll use firewall rules to keep them separate, but give both dhcp (separate subnets) and internet without giving OPT1 access to LAN. IMHO this is a way simpler approach. My goal here is KIS.

 

[Pablo]

Nope. LAN is where my LAN comes in. OPT1 will be where Guest comes in. I'll use firewall rules to keep them separate, but give both dhcp (separate subnets) and internet without giving OPT1 access to LAN. IMHO this is a way simpler approach. My goal here is KIS.

ok, thanks for your clarification.

 

[burntoc]

I am trying to use this configuration, but scale it up to more SSID / VLAN combos and using a managed switch with pfsense. I'm having a terrible time and I'm not convinced the VLAN tagging on Merlin supports what I am trying to accomplish.
.......snipped...
I ended up adding a VLAN10 for "local" ops, and then adding it to the "br0" bridge which contains eth1 and eth2. After a bit of reconfig, everything is good.

Hey is there any chance you can post your edited scripts? I am trying to do something very, very similar using a ER-X router and a couple of AC68u boxes (until my Unifis come in). I have the guest SSID tagging and passing the proper IP ranges thanks to edits I made to a script in this thread, but I want to do the same with my IOT VLAN and I'm not sure if I need another bridge or what not. Looks like you have that stuff working but I'm trying to make sure I'm looking at a working script and not one with issues - thanks!!!

 

[grifo]

Hi all. I've used the info from this thread (post #5) to join my guest wlan with an existing isolated vlan on my RT-AC87U running 380.70 and it works great apart from one thing: when the wlan flaps for any reason (a small change to the wifi config is enough) the guest interface drops back to the default bridge br0.

I was wondering if anyone has found a way to solve this problem. I've read of the new service-event script introduced in 384.5 but I couldn't find much info on it. As it's called before a service event (in this case it would be restart_wireless), would it work with it running the brctl commands to reinstate the correct bridge/interface assignments?

I can't test it as my router is still on 380.70 and I'd rather keep it on that fw for a bit longer unless for a good reason, obviously I would update it to 384.7 if the service-event script can solve this problem.

 

[Martineau]

Hi all. I've used the info from this thread (post #5) to join my guest wlan with an existing isolated vlan on my RT-AC87U running 380.70 and it works great apart from one thing: when the wlan flaps for any reason (a small change to the wifi config is enough) the guest interface drops back to the default bridge br0.

I was wondering if anyone has found a way to solve this problem. I've read of the new service-event script introduced in 384.5 but I couldn't find much info on it. As it's called before a service event (in this case it would be restart_wireless), would it work with it running the brctl commands to reinstate the correct bridge/interface assignments?

I can't test it as my router is still on 380.70 and I'd rather keep it on that fw for a bit longer unless for a good reason, obviously I would update it to 384.7 if the service-event script can solve this problem.

I haven't tried the new scripts but I use a modified SyslogEventMonitor.sh script to detect/recover from an unexpected WLAN restart with the following parameters:

# Define Trigger messages
#
#       DOWN trigger message
#       UP trigger message
#       DOWN message count (to allow for controlling the trigger/action etc.)
#       ACTION script
#------------------------------------Start of customisation----------------------------------------------------------------
MSG0001T="WiFi subsystem"                       # Title for Syslog messages/SendMail
MSG0001C=0                                      # DOWN message count
MSG0001D="notify_rc restart_wireless"           # DOWN Trigger message
MSG0001U="eth1: Broadcom"                       # UP message: Reset monitoring/recovery action message or perhaps any of these???
                                                #   'wl_module_init: igs set to 0x0'
                                                #   'wl_module_init: txworkq set to 0x1'
                                                #   'eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)'
                                                #   'eth2: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.126 (r561982)'
                                                #   'device eth1 entered promiscuous mode'
                                                #   v384.xx message -> 'roamast: eth1: add client'
MSG0001XD="/jffs/scripts/MSG0001XD.sh"          # DOWN action script
MSG0001XU="/jffs/scripts/MSG0001XU.sh"          # UP   action script

So you could use the MSG0001XU.sh script to reset BR1

 

[grifo]

Hi Martineau, thanks a lot for your reply. Would you mind sharing your modified script that you use for WLAN?

Anyone else has any info on the new service-event script and if it can be used to restore bridges from wifi restarts?

 

[Martineau]

Hi Martineau, thanks a lot for your reply. Would you mind sharing your modified script that you use for WLAN?

I have sent you a PM link.

 

[grifo]

I have sent you a PM link.

Thanks again Martineau, I really appreciated you sharing your script. I've thought about it today and perhaps monitoring the syslog may be a bit overkill for my purpose, after all the wifi restarts don't happen too often.

So I've updated my router to 384.7 and the service-event script works but as it could be expected it's executed before the interfaces are reset so it doesn't work for this purpose. I've also tried to launch another script from it that waits 10 seconds and then runs the commands but the service-event script waits for the second script to finish before letting the wifi restart go ahead.

What would work is a non blocking service-event script or one that is executed after service events are completed but they aren't available as far as i know.

I'll think about what to do next. Thanks a lot for your help!

 

[Martineau]

Thanks again Martineau, I really appreciated you sharing your script. I've thought about it today and perhaps monitoring the syslog may be a bit overkill for my purpose, after all the wifi restarts don't happen too often.

No problem

I've also tried to launch another script from it that waits 10 seconds and then runs the commands but the service-event script waits for the second script to finish before letting the wifi restart go ahead.

Did you try calling your script (the one that contains the 10 second day etc.) from service-event as follows

sh   /jffs/scripts/Script_to_run_after_10_secs.sh   &

 

[grifo]

No problem



Did you try calling your script (the one that contains the 10 second day etc.) from service-event as follows

sh   /jffs/scripts/Script_to_run_after_10_secs.sh   &

No I didn't, I've tried and it works! Below are the scripts for future reference, I changed the waiting time to 6 which seems just right. Thanks mate, now all the pieces for a working SSID to VLAN mapping configuration are in place.

me@87u:/jffs/scripts# cat service-event
#!/bin/sh
restart=$1
wireless=$2
#call script to reset bridges
sh /jffs/scripts/bres &

me@87u:/jffs/scripts# cat bres
#!/bin/sh
sleep 6

brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl0.1
brctl addif br1 wl1.1

me@87u:

 

[JohnB4]

Is anyone else suffering from major performance issues on their Asus ac68u accesspoint after setting this up?

What I am experiencing:
- Highly intermittent connection on my normal WLAN devices; over time this gets worse until almost unusable
- No internet at all on the Guest WLAN, although I can ping the AP

All issues disappear as soon as I take down br1. But then of course the Guest AP does not work anymore
Interestingly, at some point I only had vlan9 in br1, and still these issues appear as soon as I bring the br1 up

Note that another accesspoint I have defaulted to the guest VLAN via port 0 is working just fine, so it does not appear to be a router issue

Here's my services-start file:

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
robocfg vlan 1 ports "1 2 3 4 5t"
robocfg vlan 9 ports "0 3t 4t 5t"
vconfig add eth0 9
ifconfig vlan9 up
brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl delif br0 wl1.1
brctl addif br1 vlan9
brctl addif br1 wl1.1
ifconfig br1 192.168.9.254
ifconfig br1 up
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan9 wl0.1"
nvram set lan1_ifname="br1"
nvram commit
killall eapd
eapd

Ifconfig:

br0       Link encap:Ethernet  HWaddr AC:9E:17:XX:XX:XX
          inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:18453 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1774 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2503281 (2.3 MiB)  TX bytes:185084 (180.7 KiB)
br1       Link encap:Ethernet  HWaddr AC:9E:17:XX:XX:XX
          inet addr:192.168.9.254  Bcast:192.168.9.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1570 errors:0 dropped:0 overruns:0 frame:0
          TX packets:545 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:115191 (112.4 KiB)  TX bytes:67074 (65.5 KiB)
eth0      Link encap:Ethernet  HWaddr AC:9E:17:XX:XX:XX
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:190567 errors:0 dropped:0 overruns:0 frame:0
          TX packets:173395 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:185933513 (177.3 MiB)  TX bytes:89642423 (85.4 MiB)
          Interrupt:179 Base address:0x4000
eth1      Link encap:Ethernet  HWaddr AC:9E:17:XX:XX:XX
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:130286 errors:0 dropped:0 overruns:0 frame:39508
          TX packets:143133 errors:2 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:80980461 (77.2 MiB)  TX bytes:126308366 (120.4 MiB)
          Interrupt:163
eth2      Link encap:Ethernet  HWaddr AC:9E:17:XX:XX:XX
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:41928 errors:0 dropped:0 overruns:0 frame:27475
          TX packets:63447 errors:17 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7824384 (7.4 MiB)  TX bytes:62021510 (59.1 MiB)
          Interrupt:169
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:12659 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12659 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3111605 (2.9 MiB)  TX bytes:3111605 (2.9 MiB)
vlan1     Link encap:Ethernet  HWaddr AC:9E:17:XX:XX:XX
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:188895 errors:0 dropped:0 overruns:0 frame:0
          TX packets:169932 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:184767872 (176.2 MiB)  TX bytes:87547007 (83.4 MiB)
vlan9     Link encap:Ethernet  HWaddr AC:9E:17:XX:XX:XX
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1672 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3463 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:278251 (271.7 KiB)  TX bytes:1427240 (1.3 MiB)
wl0.1     Link encap:Ethernet  HWaddr AC:9E:17:XX:XX:XX
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:3773 errors:0 dropped:0 overruns:0 frame:39508
          TX packets:2155 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:559041 (545.9 KiB)  TX bytes:387267 (378.1 KiB)

 

[JohnB4]

Ok so I managed to get my hands on a AC1750 (with merlin for AC66 on it). I just can't seem to get a stable install. It's working better than on my AC68, however I'm seeing the following behaviour

Both the regular wifi and guest network loose their connectivity after a while (can be a fews minutes or hours). I found out that bring down the bridge and then straight back up again (ie. netconfig br0 down && netconfig br0 up) fixes the issue
Looking at my router/dhcp log (a separate unit) suggests that the accesspoint is mixing up the interfaces. IP packets from my regular network suddenly show up on the vlan interface and are naturally rejected there as they are classified as martians (wrong subnet)

Any ideas on why this would happen, and how to fix it?

 

[JohnB4]

Ok so my Guest network just lost connectivity again, and indeed now I'm seeing traffic from guest IPs showing up on the regular wifi LAN, which again are correctly rejected by the router

brctl show says all is still set up correctly though:

bridge name     bridge id               STP enabled     interfaces
br0             8000.3497f608XXXX       no              vlan1
                                                        eth1
                                                        eth2
br1             8000.3497f608XXXX       no              wl0.1
                                                        vlan9

 

[desol]

Hello gents,

If it's okay to jump on this thread as well, I have a similar setup mentioned earlier in the thread.

Not knowing much about the way routers(or embedded systems in general) are configured, (but proficient at terminal), could someone clarify a few things?

I am trying to re-create a similar script from https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-331821

1. How do I find out which SSID's are linked to which interface e.g. wl0.1 wl1.2
2. What is the purpose of nvram setting the lan and lan1 ifname and ifnames and what does this correspond to on the system
3. How does the tagging work as opposed to just listing the port number with robocfg vlan 4 ports ...

A pre-emptive Thanks to any responders.



p.s. if it brings any extra clarity my exact scenario is
I have an Asus RT-AC3200(merlin) in access point mode, connected via a pfsense firewall.
I am trying to create an isolated ssid for IoT devices to run on where they can only communicate with each other and a control server.
[edit - spelling]

 

[Martineau]

1. How do I find out which SSID's are linked to which interface e.g. wl0.1 wl1.2
2. What is the purpose of nvram setting the lan and lan1 ifname and ifnames and what does this correspond to on the system
3. How does the tagging work as opposed to just listing the port number with robocfg vlan 4 ports …

Given the Asus routers' Broadcom heritage, although the ASUS NVRAM variable names may differ, the concepts i.e. VLANs, tagging on Broadcom routers are very clearly explained here

On the ASUS you can see how the Guest WiFi 2.4Ghz/5GHz interfaces are attached to form the LAN on a single bridge 'br0'

brctl show

and appropriate NVRAM variables are used by the GUI to associate the SSID with the physical Guest interface

nvram show 2>/dev/null | sort | grep -E "^wl[0-1].*ssid="

 

[desol]

Thanks so much for your quick reply!

The link you sent is very helpful, thats pretty much what I was searching for!

So just to make 100% sure:
wl0.x are subinterfaces which correspond to the guest interfaces from the GUI
setting `robocfg vlan 4 ports "1t 5t"` means I want vlan4 to be tagged and connected to port 1 on the switch.