SSID to VLAN

[User774]

Hello!

Model: Asus RT-AC56U
Firmware: 378.53 (AsusWRT-Merlin)

Some default configs:

lanports=0 1 2 3
wanports=4
landevs=vlan1 wl0 wl1
vlan1hwname=et0
vlan1ports=0 1 2 3 5*
vlan2hwname=et0
vlan2ports=4 5u

I'm trying to build a professional home network =D (to learn)
I'm new to AsusWRT, Merlin, DD-WRT, etc...
I spend some days reading a lot and learning all that I can.

I liked the AsusWRT-Merlin (from lostrealm.ca), because I can use some features like Trend Virtual Patch/AD block, and some new options/features provided by Merlin custom firmware.

But I'm confused if the management via shell is allowed.

Basically, I wish:

• Ports 0 and 1 (LAN 1 and 2) as VLAN1 (as the default configuration) - I will not use these ports
• Port 2 (LAN3) as VLAN9
• Create a Wireless for guest, VLAN 8
  
• Port 3 (LAN4) in trunk (receive tagged packets from VLAN1, 9 and 8), I'll connect a UTM/FW to act as the FW, gateway, DHCP server, etc.. (the WAN will be connected to this UTM/FW)

But before the hard work, I tried to create a small/simplest test environment to check if this firmware will allow me to do what I need.
Small test:

• Create a Guest network and bridge to a VLAN with one switch's port
• This VLAN isn't allowed to access the others VLANs
• The RT-AC56U will be connected with port 3 (LAN4) to a notebook
• After test the wired part, I'll disconnect the ethernet cable and use the wireless of this notebook to test the Guest network
• The UTM/FW isn't present at the test environment (just the RT-AC56U and a notebook).

What I did:

1. Upgraded to the latest version of AsusWRT, then reset the configuration to defaults
2. Upgrated to the latest version of AsusWRT-Merlin (378.53), then reset the configuration to defaults
3. Disabled the "JFFS"
4. Using the web interface, created a "Guest Network" (wireless) - wl0.1
5. Then via SSH:
   

   # Remove port 3 from VLAN1
   robocfg vlan 1 ports "0 1 2 5t"
   # Create VLAN9, and add port 3
   robocfg vlan 9 ports "3 5t"
   # Remove wl0.1 (the guest network) from br0
   brctl delif br0 wl0.1
   # up interface vlan9
   ifconfig vlan9 up
   # create br9
   brctl addbr br9
   # enable stp
   brctl stp br9 on
   # add vlan9 to br9
   brctl addif br9 vlan9
   # add wl0.1 to br9
   brctl addif br9 wl0.1
   # up interface
   ifconfig br9 up
   # Cleanup (removed the wl0.1 from "lan_ifnames")
   nvram set lan_ifnames="vlan1 eth1 eth2"
   # Created lan9_ifnames
   nvram set lan9_ifnames="vlan9 wl0.1"
   nvram set lan9_ifname="br9"
   # Mapped vlan9ports
   nvram set vlan9ports="3 5t"
   nvram set vlan9hwname=et0
   # Commit
   nvram commit
   # Configured an IP address to the bridge
   ifconfig br9 10.0.0.1 netmask 255.255.255.0 up

   
   
6. At this point, I can see:
   - 2 bridges, br0 and br9 (brctl show)
   - Port 3 (LAN4) is on VLAN 9 (robocfg show)
   - Interfaces vlan9, br9 and wl0.1 are up (ifconfig)
   
   
7. If I try to connect on the Guest wireless, I get a "Time out" error (some times, "Wrong password", but wl0.1_wpa_psk reports the correct password..)
   
   
8. I tried to configure manually the IP address 10.0.0.9/24 on my notebook (because the DHCP isn't configured..), but the problem persists.
   
   
9. The wired part, I configured a IP on my notebook, and ran the PING to the 10.0.0.1, but no response
   
   
10. I ran "iptables -F' to check if the iptables is blocking something, but doesn't worked
    
    
11. If I reboot the router, all changes are lost.

Just to check, I'm doing something wrong?

 

[coldwizard]

Hello!

Model: Asus RT-AC56U
Firmware: 378.53 (AsusWRT-Merlin)

Some default configs:

lanports=0 1 2 3
wanports=4
landevs=vlan1 wl0 wl1
vlan1hwname=et0
vlan1ports=0 1 2 3 5*
vlan2hwname=et0
vlan2ports=4 5u

I'm trying to build a professional home network =D (to learn)
I'm new to AsusWRT, Merlin, DD-WRT, etc...
I spend some days reading a lot and learning all that I can.

I liked the AsusWRT-Merlin (from lostrealm.ca), because I can use some features like Trend Virtual Patch/AD block, and some new options/features provided by Merlin custom firmware.

But I'm confused if the management via shell is allowed.

Basically, I wish:

• Ports 0 and 1 (LAN 1 and 2) as VLAN1 (as the default configuration) - I will not use these ports
• Port 2 (LAN3) as VLAN9
• Create a Wireless for guest, VLAN 8
  
• Port 3 (LAN4) in trunk (receive tagged packets from VLAN1, 9 and 8), I'll connect a UTM/FW to act as the FW, gateway, DHCP server, etc.. (the WAN will be connected to this UTM/FW)

But before the hard work, I tried to create a small/simplest test environment to check if this firmware will allow me to do what I need.
Small test:

• Create a Guest network and bridge to a VLAN with one switch's port
• This VLAN isn't allowed to access the others VLANs
• The RT-AC56U will be connected with port 3 (LAN4) to a notebook
• After test the wired part, I'll disconnect the ethernet cable and use the wireless of this notebook to test the Guest network
• The UTM/FW isn't present at the test environment (just the RT-AC56U and a notebook).

What I did:

1. Upgraded to the latest version of AsusWRT, then reset the configuration to defaults
2. Upgrated to the latest version of AsusWRT-Merlin (378.53), then reset the configuration to defaults
3. Disabled the "JFFS"
4. Using the web interface, created a "Guest Network" (wireless) - wl0.1
5. Then via SSH:
   

   # Remove port 3 from VLAN1
   robocfg vlan 1 ports "0 1 2 5t"
   # Create VLAN9, and add port 3
   robocfg vlan 9 ports "3 5t"
   # Remove wl0.1 (the guest network) from br0
   brctl delif br0 wl0.1
   # up interface vlan9
   ifconfig vlan9 up
   # create br9
   brctl addbr br9
   # enable stp
   brctl stp br9 on
   # add vlan9 to br9
   brctl addif br9 vlan9
   # add wl0.1 to br9
   brctl addif br9 wl0.1
   # up interface
   ifconfig br9 up
   # Cleanup (removed the wl0.1 from "lan_ifnames")
   nvram set lan_ifnames="vlan1 eth1 eth2"
   # Created lan9_ifnames
   nvram set lan9_ifnames="vlan9 wl0.1"
   nvram set lan9_ifname="br9"
   # Mapped vlan9ports
   nvram set vlan9ports="3 5t"
   nvram set vlan9hwname=et0
   # Commit
   nvram commit
   # Configured an IP address to the bridge
   ifconfig br9 10.0.0.1 netmask 255.255.255.0 up

   
   
6. At this point, I can see:
   - 2 bridges, br0 and br9 (brctl show)
   - Port 3 (LAN4) is on VLAN 9 (robocfg show)
   - Interfaces vlan9, br9 and wl0.1 are up (ifconfig)
   
   
7. If I try to connect on the Guest wireless, I get a "Time out" error (some times, "Wrong password", but wl0.1_wpa_psk reports the correct password..)
   
   
8. I tried to configure manually the IP address 10.0.0.9/24 on my notebook (because the DHCP isn't configured..), but the problem persists.
   
   
9. The wired part, I configured a IP on my notebook, and ran the PING to the 10.0.0.1, but no response
   
   
10. I ran "iptables -F' to check if the iptables is blocking something, but doesn't worked
    
    
11. If I reboot the router, all changes are lost.

Just to check, I'm doing something wrong?

I suspect at your point 7 connecting to the SSID will work only when using no security.

I suggest you change this ....
# Created lan9_ifnames
nvram set lan9_ifnames="vlan9 wl0.1"
nvram set lan9_ifname="br9"

to the lower number 1 since eapd may not look as high as 9 (or may not like skipping numbers).
# Created lan1_ifnames
nvram set lan1_ifnames="vlan9 wl0.1"
nvram set lan1_ifname="br9"

Then you need the stop/ restart process eapd to read the new nvram names and get security to work on the WiFi.

# restart eapd
killall eapd
eapd

See thread
http://www.snbforums.com/threads/ac56u-how-to-add-bridges-with-dhcp-servers.20326/

 

[ASAT]

# restart eapd
killall eapd
eapd

why eapd?

 

[Gorsha]

Hello everybody.

I'm also looking for solution to have additional Wi-fi network on RT-AC68U for IPTV connection (VLAN 3999). Because of multicast, the solution is to completely separate this network from LAN (VLAN 5). I'm running Asuswrt-merlin 378.54_2.

I'm experiencing same problem as others - if I enable guest network (wl0.1) and add it to another bridge (br1) then with WPA2 security Wi-fi connection doesn't work - my PC can't connect to either Wi-fi network.

I've tried with this command, according to few posts here on this forum, but no success:

nvram set lan_ifnames="vlan5 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan3999 wl0.1"
nvram set lan1_ifname="br1"
nvram commit

killall eapd
eapd

I have encountered same problems using Tomato Shibby firmware.

Looking at the source code for eapd each interface should be configured at eapd startup (autoconfig) if set in ifnames variable, but it's hard to know if this configuration is done correctly or not.

I've been trying to recompile eapd from source code (Asuswrt -> eapd-arm-10) with debbuging enabled, so I could have so insight what is happening, but so far I didn't have success compiling the firmware.

If anyone has some ideas about this, I would be very grateful.

 

[starfall]

It works! WPA2 is working on the guest VLAN setup. I'm over the moon. Here is my services-start script in case somebody wants to use it -

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 9 ports "4t 5t"
vconfig add eth0 9
ifconfig vlan9 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl1.1
brctl addif br1 vlan9
#ifconfig br1 192.168.9.254 netmask 255.255.255.0
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan9 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

nvram commit
killall eapd
eapd

My AC68U (running 378.54_2) is in AP mode as I'm using a pfSense HA cluster as router. However, I suggest using a local IP on the AP first to test the client (ie. remove the comment on the ifconfig line). Also, remember to setup dhcp on the guest VLAN, or else test it with a static IP on the client.

EDIT: Just to clarify, I have a switch connected to the AC68U, and it is on port 4. I've left the normal LAN VLAN untagged, and only tagged the new guest VLAN as VLAN 9, hence, " 4t 5t". Port 5 is of course the internal interface of the ASUS.

 

[Gorsha]

It works! WPA2 is working on the guest VLAN setup. I'm over the moon. Here is my services-start script in case somebody wants to use it -

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 9 ports "4t 5t"
vconfig add eth0 9
ifconfig vlan9 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl1.1
brctl addif br1 vlan9
#ifconfig br1 192.168.9.254 netmask 255.255.255.0
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan9 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

nvram commit
killall eapd
eapd

My AC68U (running 378.54_2) is in AP mode as I'm using a pfSense HA cluster as router. However, I suggest using a local IP on the AP first to test the client (ie. remove the comment on the ifconfig line). Also, remember to setup dhcp on the guest VLAN, or else test it with a static IP on the client.

EDIT: Just to clarify, I have a switch connected to the AC68U, and it is on port 4. I've left the normal LAN VLAN untagged, and only tagged the new guest VLAN as VLAN 9, hence, " 4t 5t". Port 5 is of course the internal interface of the ASUS.

I can confirm that this also works for me on AC68U (378.54_2). It seems I missed something in my previous attempts. Now I can unleash full power of the router, thanks to Merlin's firmware.
Thanks!

 

[net101]

Here's my script. It still doesn't work for me. What am I doing wrong? How can I get more information to diagnose the issue.

#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
rm /tmp/000services-start

robocfg vlan 1 ports "0t 1 5t"
robocfg vlan 26 ports "0t 2 3 4 5t"
robocfg vlan 27 ports "0t 5t"

vconfig add eth0 26
ifconfig vlan26 up

vconfig add eth0 27
ifconfig vlan27 up

ifconfig br1 down
brctl delbr br1
brctl addbr br1

ifconfig br2 down
brctl delbr br2
brctl addbr br2

brctl delif br0 wl0.1
brctl delif br0 wl1.1

brctl delif br0 wl0.2
brctl delif br0 wl1.2

brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan26

brctl addif br2 wl0.2
brctl addif br2 wl1.2
brctl addif br2 vlan27

ifconfig br1 192.168.26.3 netmask 255.255.255.0
ifconfig br1 up

ifconfig br2 192.168.27.3 netmask 255.255.255.0
ifconfig br2 up

nvram set lan26_ifnames="vlan26 wl0.1 wl1.1"
nvram set lan26_ifname="br1"

nvram set lan27_ifnames="vlan27 wl0.2 wl1.2"
nvram set lan27_ifname="br2"

nvram commit

killall eapd
eapd

touch /tmp/000services-start

 

[Martineau]

Here's my script. It still doesn't work for me. What am I doing wrong? How can I get more information to diagnose the issue.

#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
rm /tmp/000services-start

robocfg vlan 1 ports "0t 1 5t"
robocfg vlan 26 ports "0t 2 3 4 5t"
robocfg vlan 27 ports "0t 5t"

vconfig add eth0 26
ifconfig vlan26 up

vconfig add eth0 27
ifconfig vlan27 up

ifconfig br1 down
brctl delbr br1
brctl addbr br1

ifconfig br2 down
brctl delbr br2
brctl addbr br2

brctl delif br0 wl0.1
brctl delif br0 wl1.1

brctl delif br0 wl0.2
brctl delif br0 wl1.2

brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan26

brctl addif br2 wl0.2
brctl addif br2 wl1.2
brctl addif br2 vlan27

ifconfig br1 192.168.26.3 netmask 255.255.255.0
ifconfig br1 up

ifconfig br2 192.168.27.3 netmask 255.255.255.0
ifconfig br2 up

nvram set lan26_ifnames="vlan26 wl0.1 wl1.1"
nvram set lan26_ifname="br1"

nvram set lan27_ifnames="vlan27 wl0.2 wl1.2"
nvram set lan27_ifname="br2"

nvram commit

killall eapd
eapd

touch /tmp/000services-start

Line 1 contains a typo?

 

[net101]

Thanks (embarrassed!) but running the commands manually doesn't make it work either.

I am using AP mode.

Here is the output from the various commands:

admin@RT-AC68U-XXXX:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.10c37bXXXXXX       no              vlan1
                                                        eth1
                                                        eth2
br1             8000.10c37bXXXXXX       no              wl0.1
                                                        wl1.1
                                                        vlan26
br2             8000.10c37bXXXXXX       no              wl0.2
                                                        wl1.2
                                                        vlan27

admin@RT-AC68U-XXXX:/tmp/home/root# robocfg show vlan
Switch: enabled
Port 0:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: f0:de:f1:f5:c0:d2
Port 2:   DOWN enabled stp: none vlan: 26 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 26 jumbo: off mac: 00:00:00:00:00:00
Port 4:   DOWN enabled stp: none vlan: 26 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0t 1 5t
   2: vlan2: 5t
  26: vlan26: 0t 2 3 4 5t
  27: vlan27: 0t 5t
  56: vlan56: 1t 2 4 5
  57: vlan57: 1t 2t 3t 4 7
  58: vlan58: 0t 8u
  59: vlan59: 0t 2t 4 8t
  60: vlan60: 0t 1t 2t 3
  61: vlan61: 1 2t 3t 4 7t 8u
  62: vlan62: 2t 7t

admin@RT-AC68U-XXXX:/tmp/home/root# nvram show | grep ifnames
size: 42544 bytes (22992 left)
wl0_vifnames=wl0.1 wl0.2 wl0.3
wl1_vifnames=wl1.1 wl1.2 wl1.3
lan26_ifnames=vlan26 wl0.1 wl1.1
dpsta_ifnames=
lan_ifnames=vlan1 eth1 eth2 wl0.1 wl0.2 wl1.1 wl1.2
lan27_ifnames=vlan27 wl0.2 wl1.2
wan_ifnames=vlan2
wl_ifnames=eth1 eth2
wl_vifnames=wl0.1 wl0.2 wl0.3
acs_ifnames=eth1 eth2

 

[starfall]

Line 1 contains a typo?

/bin/ash is a valid shell

I think it's to do with the lanX_ifnames nvram settings. See this post for more info - WAP/Guest SSID/Port based VLAN

 

[Martineau]

/bin/ash is a valid shell

Indeed and I assume there is no functional difference between shells 'sh' and 'ash' given they are both symlinks to Busybox, but many of my personal programming/scripting errors have been attributed to an incorrect assumption that such a trivial technical detail couldn't possibly be the reason why my programs to fail execute as desired!

Stranger things have happened and as I was taught; "Computers only do what you tell them to do - rarely what you wanted/intended them to do!"

 

[coldwizard]

It works! WPA2 is working on the guest VLAN setup. I'm over the moon. Here is my services-start script in case somebody wants to use it -

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 9 ports "4t 5t"
vconfig add eth0 9
ifconfig vlan9 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl1.1
brctl addif br1 vlan9
#ifconfig br1 192.168.9.254 netmask 255.255.255.0
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan9 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

nvram commit
killall eapd
eapd

My AC68U (running 378.54_2) is in AP mode as I'm using a pfSense HA cluster as router. However, I suggest using a local IP on the AP first to test the client (ie. remove the comment on the ifconfig line). Also, remember to setup dhcp on the guest VLAN, or else test it with a static IP on the client.

EDIT: Just to clarify, I have a switch connected to the AC68U, and it is on port 4. I've left the normal LAN VLAN untagged, and only tagged the new guest VLAN as VLAN 9, hence, " 4t 5t". Port 5 is of course the internal interface of the ASUS.

For anyone that wants to modify the script above for another Asus model, this table of hardware ports may be useful

#Robocfg port mapping
#Model { WAN L1 L2 L3 L4 CPU }
#RTN16: { 0, 4, 3, 2, 1, 8 }
#RTAC56U: { 4, 0, 1, 2, 3, 5 }
#RTN66U: { 0, 1, 2, 3, 4, 8 }
#RTAC66U: { 0, 1, 2, 3, 4, 8 }
#RTAC68U: { 0, 1, 2, 3, 4, 5 }
#RTAC87U: { 0, 5, 3, 2, 1, 7 }
#RTAC3200: { 0, 4, 3, 2, 1, 5 }

Also the "nvram commit" line should not be required in the script.

 

[Pablo]

Hi, I'be been fighting with this for a couple of days.
I have a pfSense router with a VLAN4 defined on the LAN interface tagged with id "4". That port is connected to port 1 on the router. My goal is to have a wlan on vlan4.

This is how I have configured it:

robocfg vlan 4 ports "1t 8t"
vconfig add eth0 4
ifconfig vlan4 up

brctl addbr br1
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan4
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan4 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

nvram commit
killall eapd
eapd

Port 1 is tagged because it is also used on VLAN3 (another VLAN defined in pfSense and on the phisical LAN interface).


This is the output of "robocfg show"

Switch: enabled
Port 0:   DOWN enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
Port 1:  100FD enabled stp: none vlan: 1 jumbo: off mac: 52:54:00:0a:74:e6
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: a0:f3:c1:f8:6f:b0
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: c4:04:15:23:8d:25
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 3 4 8t
   2: vlan2: 0 8t
   3: vlan3: 1t 4t 8t
   4: vlan4: 1t 8t
1045: vlan1045: 0t 3 4t 8u
1046: vlan1046: 0 1 2 3 4 5 7t
1047: vlan1047: 0t 2t 4 5t 7
1099: vlan1099: 0t 5 7
1100: vlan1100: 2 3 7 8t
1101: vlan1101: 3t
1102: vlan1102: 0 1 2t 3t 4 7t 8t
1103: vlan1103: 0 8u

And this is the output from "brctl show"

bridge name     bridge id               STP enabled     interfaces
br0             8000.c40415238d25       yes             vlan1
                                                        eth1
                                                        eth2
br1             8000.022215a50305       no              wl0.1
                                                        wl1.1
                                                        vlan4

With this setup when I try to connect from a wifi device to the guest SSID (defined on the XWRT gui), I've get stucked at the point when it's trying to get the IP address. So, I can pass the authentication point successfully (tried both open and wpa2 with same results) and just keeps trying to get an IP address.

I think that no connection is established with the pfSense box, because no packet seems to appear on the "Interface statistics" panel, so I think my VLAN is not well defined but... what is wrong?

On the pfSense box I have VLAN3 working with a DHCP for VLAN3 and also VLAN4 defined the same as VLAN3 (just with different ID tag) and also a DHCP defined for VLAN4 with different ip address ranges (VLAN3 192.168.3.0 and VLAN4 192.168.4.0)

Anyone willing to troubleshoot this to help me?

Thanks,
Pablo

 

[Pablo]

I'll reply to myself so anyone with this problem can avoid loosing days trying to solve this...

The configuration is right, the only problem was that I forgot to specify in pfSense that the DNS resolver must serve addresses on all the VLANs and not just on the LAN..... :-(

 

[snb_rookie]

I am trying to use this configuration, but scale it up to more SSID / VLAN combos and using a managed switch with pfsense. I'm having a terrible time and I'm not convinced the VLAN tagging on Merlin supports what I am trying to accomplish.

RT-AC68R / Merlin 380.68.

Attempted VLAN / SSID config:

VLAN11 - Internet only access port from LGS308 (not related to ASUS.. works great).

ssid:dev1 VLAN20 - Internet only
ssid:dev2VLAN21 - Internet only
ssid:media VLAN22 - Internet only

My HW config is as follows:

WAN <--> PF Sense <---> LGS308 <---> RT-AC68R
LGS308 is connected to PF Sense LAN via a trunk port (1) which carries all VLANs.

Per instructions in this thread, I'm adding 3 new guest VLANs (wl0.1, wl1.1, wl1.2)

This is my config. I'm using ports 2-4 on the ASUS, which is configured in AP only mode.

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 20 ports "2t 5t"
vconfig add eth0 20
ifconfig vlan20 up

robocfg vlan 21 ports "3t 5t"
vconfig add eth0 21
ifconfig vlan21 up

robocfg vlan 22 ports "4t 5t"
vconfig add eth0 22
ifconfig vlan22 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl addif br1 vlan20
ifconfig br1 up

brctl addbr br2
brctl delif br0 wl1.1
brctl addif br2 wl1.1
brctl addif br2 vlan21
ifconfig br2 up

brctl addbr br3
brctl delif br0 wl1.2
brctl addif br3 wl1.2
brctl addif br3 vlan22
ifconfig br3 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan20 wl0.1"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="vlan21 wl1.1"
nvram set lan2_ifname="br2"

nvram set lan3_ifnames="vlan22 wl1.2"
nvram set lan3_ifname="br3"

killall eapd
eapd

Really, I'm just trying to get the guest traffic tagged so pfsense can handle the rest...

Symptoms are hard to describe. Often times I get VLAN-appropriate DHCP from pf sense, but the sanity stops there. Internet on my non-guest SSIDs becomes intermittent.

I've also tried trunking all 3 VLANs to one port (2t for instance) to save on switch ports. This doesn't seem to behave any better. I realize not much to go on...

EDIT: Not an issue with ASUS Merlin at all... it was tagging just fine.

As it turns out, the biggest issue with this setup was the "default VLAN" or Parent LAN interface in PfSense. I left this in here, because I didn't want to bother with VLAN config for non-guest wifi networks. Problem is, when you go this route configuring firewall rules becomes a real hassle, because you have VLAN traffic showing up both on the parent interface and on the VLAN interface itself, requiring a bunch of duplicate rules.

I ended up adding a VLAN10 for "local" ops, and then adding it to the "br0" bridge which contains eth1 and eth2. After a bit of reconfig, everything is good.

 

[Wisiwyg]

EDIT: Not an issue with ASUS Merlin at all... it was tagging just fine.

As it turns out, the biggest issue with this setup was the "default VLAN" or Parent LAN interface in PfSense. I left this in here, because I didn't want to bother with VLAN config for non-guest wifi networks. Problem is, when you go this route configuring firewall rules becomes a real hassle, because you have VLAN traffic showing up both on the parent interface and on the VLAN interface itself, requiring a bunch of duplicate rules.

I ended up adding a VLAN10 for "local" ops, and then adding it to the "br0" bridge which contains eth1 and eth2. After a bit of reconfig, everything is good.

I am about to undertake this same project with an AC68U in AP mode with wifi Guest on LAN4 to an OPNSense fw. Would you please describe your pfSense solution a bit more (easy to make translation between pfSense and OpnSense)? I.e you created a bridge between Parent VLAN and Guest VLAN10 in pfSense? My goal is to add a Guest via wifi for internet only, but prevent Guest from accessing internal resources while still providing pf firewall services. Wouldn't bridging the two open up the internal network to Guest? I apologize in advance for my newb question.

 

[Pablo]

I am trying to use this configuration, but scale it up to more SSID / VLAN combos and using a managed switch with pfsense. I'm having a terrible time and I'm not convinced the VLAN tagging on Merlin supports what I am trying to accomplish.

RT-AC68R / Merlin 380.68.

Attempted VLAN / SSID config:

VLAN11 - Internet only access port from LGS308 (not related to ASUS.. works great).

ssid:dev1 VLAN20 - Internet only
ssid:dev2VLAN21 - Internet only
ssid:media VLAN22 - Internet only

My HW config is as follows:

WAN <--> PF Sense <---> LGS308 <---> RT-AC68R
LGS308 is connected to PF Sense LAN via a trunk port (1) which carries all VLANs.

Per instructions in this thread, I'm adding 3 new guest VLANs (wl0.1, wl1.1, wl1.2)

This is my config. I'm using ports 2-4 on the ASUS, which is configured in AP only mode.

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 20 ports "2t 5t"
vconfig add eth0 20
ifconfig vlan20 up

robocfg vlan 21 ports "3t 5t"
vconfig add eth0 21
ifconfig vlan21 up

robocfg vlan 22 ports "4t 5t"
vconfig add eth0 22
ifconfig vlan22 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl addif br1 vlan20
ifconfig br1 up

brctl addbr br2
brctl delif br0 wl1.1
brctl addif br2 wl1.1
brctl addif br2 vlan21
ifconfig br2 up

brctl addbr br3
brctl delif br0 wl1.2
brctl addif br3 wl1.2
brctl addif br3 vlan22
ifconfig br3 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan20 wl0.1"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="vlan21 wl1.1"
nvram set lan2_ifname="br2"

nvram set lan3_ifnames="vlan22 wl1.2"
nvram set lan3_ifname="br3"

killall eapd
eapd

Really, I'm just trying to get the guest traffic tagged so pfsense can handle the rest...

Symptoms are hard to describe. Often times I get VLAN-appropriate DHCP from pf sense, but the sanity stops there. Internet on my non-guest SSIDs becomes intermittent.

I've also tried trunking all 3 VLANs to one port (2t for instance) to save on switch ports. This doesn't seem to behave any better. I realize not much to go on...

EDIT: Not an issue with ASUS Merlin at all... it was tagging just fine.

As it turns out, the biggest issue with this setup was the "default VLAN" or Parent LAN interface in PfSense. I left this in here, because I didn't want to bother with VLAN config for non-guest wifi networks. Problem is, when you go this route configuring firewall rules becomes a real hassle, because you have VLAN traffic showing up both on the parent interface and on the VLAN interface itself, requiring a bunch of duplicate rules.

I ended up adding a VLAN10 for "local" ops, and then adding it to the "br0" bridge which contains eth1 and eth2. After a bit of reconfig, everything is good.

I do have the strange behaviour you mentioned; the VLAN traffic showing up both on the VLAN and on the parent interface and intermittent internet on the VLAN SSIDs , so if you can share your configuration I would really really appreciate that.

Thanks.
Pablo

 

[Pablo]

I am about to undertake this same project with an AC68U in AP mode with wifi Guest on LAN4 to an OPNSense fw. Would you please describe your pfSense solution a bit more (easy to make translation between pfSense and OpnSense)? I.e you created a bridge between Parent VLAN and Guest VLAN10 in pfSense? My goal is to add a Guest via wifi for internet only, but prevent Guest from accessing internal resources while still providing pf firewall services. Wouldn't bridging the two open up the internal network to Guest? I apologize in advance for my newb question.

Hi, have you got any reply from snb_rookie ? or have you been able to made it yourself?

 

[Wisiwyg]

Hi, have you got any reply from snb_rookie ? or have you been able to made it yourself?

Not yet, but not expecting an immedite reply, or any for that matter. The Asus side looks pretty well resolved from the message trail. Its the opnSense side I was asking about, so kind of off-topic for this forum. I'll simply go trial and error once I get into it. If I get it figured out I'll post a reply for others.

 

[Pablo]

Not yet, but not expecting an immedite reply, or any for that matter. The Asus side looks pretty well resolved from the message trail. Its the opnSense side I was asking about, so kind of off-topic for this forum. I'll simply go trial and error once I get into it. If I get it figured out I'll post a reply for others.

I have done the Merlin config as found everywhere on this forum, b0ut I have the strange behaviour of seeing the vlan traffic on the parent interface and intermitent internet on vlans. Is that Xwrt fault or it's pfSense fault?
I'm using the parent interface as the LAN interface, is this ok?