Use Merlin to tag VLANs from AP to Router

[Tiago]

Hi all,

I'm a long time Merlin user but new to the forums. I've been reading around and I can't find anyone with a similar problem, so I thought I'd ask for help and see if anyone can help me.

My network topology is as follows:
- Downstairs I have an N66U which is my main router, that's connected to the modem.
+ This router creates two SSIDs, my main one, let's call it S1, and a guest SSID, let's call it G1.

- Upstairs I have an AC66U, running the same version of Merlin, which is connected to the N66U via a powerline LAN. It's set up as an AP.
+ Here I have also created the same two SSIDs, with exactly the same names and passwords.

It all works okay. I can connect to both SSIDs, signal strength is good, etc... however... connecting to the guest networks on the AP doesn't isolate the access to the LAN network (I've checked and double checked, and I did disable access to the intranet in all the guest SSIDs).

From what I've been reading, this kind of makes sense. Even if I'm connected to the guest SSID on the AP, the network traffic gets bridged to the LAN interface, which then gets pushed to the main router as normal internal traffic. Moreover, since the AP does no routing whatsoever but rather relies on the router downstairs to do all the routing, I don't think that an AP can normally enforce a guest SSID's intranet isolation without additional configuration.

So it seems that the solution would be to do VLAN tagging. If I understand the concept correctly (I'm not a network expert, so correct me if I'm wrong), the AP could tag the guest SSID interface into its own, separate VLAN, and the router downstairs can then isolate the VLAN tagged with whatever number I choose as to not be able to access the intranet.

This is all fine in theory but I have literally no clue where to even get started with this since it will all have to be done through the CLI and through the router's obscure commands.

Does anyone have any idea how to fix this? Or maybe some reading material that points me in the right direction? I'm on the verge of switching to Tomato Shibby as it has a GUI for setting up VLAN tagging, but every time I've used Tomato Shibby I felt that performance was lacking and the router just didn't seem to be the same so I'd rather stick with Merlin.

Any help is greatly appreciated. I'm familiar with SSHing and CLIs, I just don't know much about VLAN tagging (I know that apparently I need a VLAN trunk or something, since the cable that connects the AP to the main router will carry two VLANs over the same physical interface).

Thanks in advance,
Tiago

 

[WoodburyMan]

I assume it can do it. The way that most routers handle seperating the WAN and LAN interfaces is by assigning them VLAN's. I believe I have seen references to VLANs in Merlin firmware on some status pages. It may have to be manually configured somehow.
Either way though I don't believe this option will work for you over the PowerLine adapters.

VLAN devices can isolate traffic so not all devices are linked together within a switch. They are numbered, 1-4096. Each port can be assigned any number of Tagged VLANs, and must be assigned one "Untagged" VLAN. The Untagged VLAN is the only VLAN a device connected to it will be able to communicate on if it's a "dumb" non-VLAN aware device. Only other VLAN aware devices can pick up on the Tagged VLANS.

If you had the ability for the Asus routers to run VLAN's, and had a straight ethernet cable connecting the two, you could assign each port connecting the two with the "Private" VLAN traffic to VLAN1 Untagged, and "Public" VLAN the Guest WiFi uses to VLAN5 Tagged or something. Then tell the Guest SSID on the 2nd device to use VLAN5 and private SSID to use VLAN1. This is how commercial/instustrial AP's work (I have dozens at my work, with each VLAN having its own isolated network for specific divisions, public, etc).

Your problem is the PowerLine adapters are "Dumb" devices. So they can only read a single Untagged VLAN and push that along. So it won't do what you're looking for it to do.

What might be better, is setting some rules on the 2nd Router that's in AP mode so that is disallows all traffic to anything in your subnet except the router itself for the Guest SSID. It might be a better way going about it.

 

[Tiago]

I assume it can do it. The way that most routers handle seperating the WAN and LAN interfaces is by assigning them VLAN's. I believe I have seen references to VLANs in Merlin firmware on some status pages. It may have to be manually configured somehow.
Either way though I don't believe this option will work for you over the PowerLine adapters.

VLAN devices can isolate traffic so not all devices are linked together within a switch. They are numbered, 1-4096. Each port can be assigned any number of Tagged VLANs, and must be assigned one "Untagged" VLAN. The Untagged VLAN is the only VLAN a device connected to it will be able to communicate on if it's a "dumb" non-VLAN aware device. Only other VLAN aware devices can pick up on the Tagged VLANS.

If you had the ability for the Asus routers to run VLAN's, and had a straight ethernet cable connecting the two, you could assign each port connecting the two with the "Private" VLAN traffic to VLAN1 Untagged, and "Public" VLAN the Guest WiFi uses to VLAN5 Tagged or something. Then tell the Guest SSID on the 2nd device to use VLAN5 and private SSID to use VLAN1. This is how commercial/instustrial AP's work (I have dozens at my work, with each VLAN having its own isolated network for specific divisions, public, etc).

Your problem is the PowerLine adapters are "Dumb" devices. So they can only read a single Untagged VLAN and push that along. So it won't do what you're looking for it to do.

What might be better, is setting some rules on the 2nd Router that's in AP mode so that is disallows all traffic to anything in your subnet except the router itself for the Guest SSID. It might be a better way going about it.

Hi Woodbury!

Thanks for your answer!

About the powerlines... from what I read http://www.linksysinfo.org/index.php?threads/powerline-adapters-and-trunked-vlans.68691/ it shouldn't be a problem and I'm inclined to agree. If indeed VLANs are managed on the IP layer, then the powerline shouldn't interfere with it. As far as I know all powerlines are basically just dumb layer 1 hubs which means they wouldn't even touch the IP layer.

But I like your suggestion about using rules to just block everything except the router... it might be a good workaround while I can figure out the rest but I still would like the VLAN solution since otherwise devices on the guest network cannot communicate amongst themselves.

 

[Deleted member 22630]

Hi all,

I'm a long time Merlin user but new to the forums. I've been reading around and I can't find anyone with a similar problem, so I thought I'd ask for help and see if anyone can help me.

My network topology is as follows:
- Downstairs I have an N66U which is my main router, that's connected to the modem.
+ This router creates two SSIDs, my main one, let's call it S1, and a guest SSID, let's call it G1.

- Upstairs I have an AC66U, running the same version of Merlin, which is connected to the N66U via a powerline LAN. It's set up as an AP.
+ Here I have also created the same two SSIDs, with exactly the same names and passwords.

It all works okay. I can connect to both SSIDs, signal strength is good, etc... however... connecting to the guest networks on the AP doesn't isolate the access to the LAN network (I've checked and double checked, and I did disable access to the intranet in all the guest SSIDs).

From what I've been reading, this kind of makes sense. Even if I'm connected to the guest SSID on the AP, the network traffic gets bridged to the LAN interface, which then gets pushed to the main router as normal internal traffic. Moreover, since the AP does no routing whatsoever but rather relies on the router downstairs to do all the routing, I don't think that an AP can normally enforce a guest SSID's intranet isolation without additional configuration.

So it seems that the solution would be to do VLAN tagging. If I understand the concept correctly (I'm not a network expert, so correct me if I'm wrong), the AP could tag the guest SSID interface into its own, separate VLAN, and the router downstairs can then isolate the VLAN tagged with whatever number I choose as to not be able to access the intranet.

This is all fine in theory but I have literally no clue where to even get started with this since it will all have to be done through the CLI and through the router's obscure commands.

Does anyone have any idea how to fix this? Or maybe some reading material that points me in the right direction? I'm on the verge of switching to Tomato Shibby as it has a GUI for setting up VLAN tagging, but every time I've used Tomato Shibby I felt that performance was lacking and the router just didn't seem to be the same so I'd rather stick with Merlin.

Any help is greatly appreciated. I'm familiar with SSHing and CLIs, I just don't know much about VLAN tagging (I know that apparently I need a VLAN trunk or something, since the cable that connects the AP to the main router will carry two VLANs over the same physical interface).

Thanks in advance,
Tiago

Hi Tiago,
I have the same configuration and requirements as you. Did you get this working and, if so, can you share your solution (scripts, wiring etc.)?
Thanks in advance,
Scott.