agbommarito
Occasional Visitor
For some time now, I've been trying to "harden" my home network with fully isolated IOT and Guest networks using VLANs. I have two RT-AX86Us; one is the router and the other is either a mesh node or an AP. When the second RT-AX86U is setup as an AP, I use a script posted by Maxbraketorque (https://www.snbforums.com/threads/s...st-networks-on-asus-routers-in-ap-mode.84673/). Neither the mesh nor AP route is fully satisfying to me. Both are limited to guest network #1, so I can't have both an IOT and Guest network. The network map, client list and wireless log seem to be buggy in either case.
I considered getting rid of the RT-AX86Us and buying Pro or ExpertWifi equipment. But neither of those seem to be fully developed yet as regards to their VLAN or SDN support. Plus buying two of those types of equipment would be rather pricey.
I had some prior experience with a Ubiquiti EdgeRouter, and that device was very capable. But setting up some things required using the CLI, which was somewhat arcane. This past summer, Ubiquiti released some new devices called Unifi Cloud Gateways. The Cloud Gateway Ultra costs $130. So I bought one with the thought of using my two RT-AX86Us as APs. I know that purchasing Ubiquiti APs would make things easy, but I didn't want to cough up another $500 or so.
I've got everything working to my satisfaction now. The two RT-AX86Us are setup as APs, using a modified script that sets up guest network #1 2.4G as an IOT VLAN network and guest network #2 2.4G/5G as a fully isolated guest network. That script is shown below. The Unifi setup was done with hints provided by this YouTube video (
).
There is one small issue that I'm asking for ideas on how to fix. There is a race condition on power-up between the time the RT-AX86U radios turn-on and the time my script sets up the two needed VLANs. During this time, Wi-Fi clients can make a DHCP request that goes to the Unifi router as untagged traffic. That gets them assigned to the trusted network. After a fairly short while, things self-correct. But until it does, network security is compromised.
The script runs by means of the services-start custom script which is triggered after the radios are operational. I've tried using the service-event custom script to run before the radios get turned on, but that event never seems to trigger. I've looked over the router source code but have come up blank with ideas.
Does anyone have any suggestions on things to try?
Here's the script I'm using:
#!/bin/sh
#
# Script to setup guest networks in ASUS routers in AP mode for use as APs on a Unifi Cloud Gateway router
#
# This script is based on previous work:
#
# Original script by Jimmy-Z is here: https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
#
# Modification by Eric Lieb is here: https://www.snbforums.com/threads/ac86u-vlan-tagging-with-merlinwrt.84508
#
# Modification by Maxbraketorque is here: https://www.snbforums.com/threads/s...est-networks-on-asus-routers-in-ap-mode.84673
#
# The ASUS routers should be running Merlin firmware.
# Factory reset the routers then setup in AP mode.
# Make sure that custom scripts and SSH access are enabled.
#
# Setup Guest network #1 for use as a 2.4G IOT network
# 1. Give the 2.4G network your desired SSID
# 2. Set network authentication to WPA2-Personal
# 3. Set your desired network password
# 4. Set "Guest network on AiMesh" to "Router only"
# 5. Leave 5G network disabled
#
# Setup Guest network #2 for use as a 2.4G/5G guest network
# 1. Give the 2.4G network your desired SSID
# 2. Set network authentication to WPA2/WPA3-personal
# 3. Set your desired network password
# 4. Repeat steps 1-3 for the 5G network
#
# Guest network #1 will be assigned to VLAN 100
#
# Guest network #2 will be assigned to VLAN 200
#
# The WAN port of each ASUS AP must be connected to the Unifi Cloud Gateway router. It is assumed that the ASUS
# interfaces are as follows:
# eth0 => WAN port
# eth1~4 => 1 gbps LAN ports 4~1, they're numerically reversed
# eth5 => 2.5 gbps LAN port
# eth6 => main network WiFi 2.4G
# eth7 => main network WiFi 5G
# wl0.1 through wl0.3 => WiFi 2.4G guest networks 1 thru 3
# wl1.1 through wl1.3 => WiFi 5G guest networks 1 thru 3
# Note that any of ports eth0 through eth5 can be used to connect the AP to the Unifi router. You must modify the VLAN
# creation commands below to match your physical hookup.
#
# If a network switch is used between the ASUS AP and the Unifi Cloud Gateway router, the VLAN traffic must pass through properly.
# 1. Some unmanaged switches will pass the VLAN packets. Others will not. Buy a new switch if yours does not.
# 2. Managed switches will likely need to programmed to pass the guest network VLANs. The programming steps are
# specific to each manufacturer's switch.
#
# Instructions for ASUS AP via SSH:
# 1. Copy this script to a file named "Unifi-AP-VLAN.sh" in the directory "/jffs/scripts/" on the ASUS AP.
# a. This can be done by copying the script from a PC to a memory stick and then transferring the memory
# stick to the ASUS AP. Make sure that the file has Unix-style line endings.
# b. Or you can create the file directly in the ASUS AP using a text editor.
# c. Issue the command "chmod 0755 Unifi-AP-VLAN.sh" after saving the script file to "jffs/scripts".
# 2. In the 'services-start' file, add the following line: "/jffs/scripts/Unifi-AP-VLAN.sh"
# 3. Reboot the AP.
#
# Start of script commands to create isolated guest network on ASUS router AP.
# identify script in log
logger -t "Unifi-AP-VLAN" -p 4 "Setting up guest network VLANs"
# Remove GN#1 2.4G and GN#2 2.4G/5G interfaces from current bridge
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2
# Create VLAN 100 and VLAN 200 then link to port used to connect AP to main router (change "eth0" to whatever port you use)
ip link add link eth0 name vlan100 type vlan id 100
ip link set vlan100 up
ip link add link eth0 name vlan200 type vlan id 200
ip link set vlan200 up
# Create new bridges, one for each VLAN
brctl addbr br1
brctl addbr br2
# Add GN#1 2.4G and GN#2 2.4G/5G interfaces to new bridges
brctl addif br1 vlan100
brctl addif br1 wl0.1
brctl addif br2 vlan200
brctl addif br2 wl0.2
brctl addif br2 wl1.2
# Turn on the new bridges
ip link set br1 up
ip link set br2 up
# Create names in NVRAM
nvram set lan1_ifnames="wl0.1 vlan100"
nvram set lan1_ifname="br1"
nvram set br1_ifnames="wl0.1 vlan100"
nvram set br1_ifname="br1"
nvram set lan2_ifnames="wl0.2 wl1.2 vlan200"
nvram set lan2_ifname="br2"
nvram set br2_ifnames="wl0.2 wl1.2 vlan200"
nvram set br2_ifname="br2"
# eapd reads config from these (no need to set lan_ifname since it's already there)
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth7 eth0"
# restart eapd
killall eapd
eapd
I considered getting rid of the RT-AX86Us and buying Pro or ExpertWifi equipment. But neither of those seem to be fully developed yet as regards to their VLAN or SDN support. Plus buying two of those types of equipment would be rather pricey.
I had some prior experience with a Ubiquiti EdgeRouter, and that device was very capable. But setting up some things required using the CLI, which was somewhat arcane. This past summer, Ubiquiti released some new devices called Unifi Cloud Gateways. The Cloud Gateway Ultra costs $130. So I bought one with the thought of using my two RT-AX86Us as APs. I know that purchasing Ubiquiti APs would make things easy, but I didn't want to cough up another $500 or so.
I've got everything working to my satisfaction now. The two RT-AX86Us are setup as APs, using a modified script that sets up guest network #1 2.4G as an IOT VLAN network and guest network #2 2.4G/5G as a fully isolated guest network. That script is shown below. The Unifi setup was done with hints provided by this YouTube video (
There is one small issue that I'm asking for ideas on how to fix. There is a race condition on power-up between the time the RT-AX86U radios turn-on and the time my script sets up the two needed VLANs. During this time, Wi-Fi clients can make a DHCP request that goes to the Unifi router as untagged traffic. That gets them assigned to the trusted network. After a fairly short while, things self-correct. But until it does, network security is compromised.
The script runs by means of the services-start custom script which is triggered after the radios are operational. I've tried using the service-event custom script to run before the radios get turned on, but that event never seems to trigger. I've looked over the router source code but have come up blank with ideas.
Does anyone have any suggestions on things to try?
Here's the script I'm using:
#!/bin/sh
#
# Script to setup guest networks in ASUS routers in AP mode for use as APs on a Unifi Cloud Gateway router
#
# This script is based on previous work:
#
# Original script by Jimmy-Z is here: https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
#
# Modification by Eric Lieb is here: https://www.snbforums.com/threads/ac86u-vlan-tagging-with-merlinwrt.84508
#
# Modification by Maxbraketorque is here: https://www.snbforums.com/threads/s...est-networks-on-asus-routers-in-ap-mode.84673
#
# The ASUS routers should be running Merlin firmware.
# Factory reset the routers then setup in AP mode.
# Make sure that custom scripts and SSH access are enabled.
#
# Setup Guest network #1 for use as a 2.4G IOT network
# 1. Give the 2.4G network your desired SSID
# 2. Set network authentication to WPA2-Personal
# 3. Set your desired network password
# 4. Set "Guest network on AiMesh" to "Router only"
# 5. Leave 5G network disabled
#
# Setup Guest network #2 for use as a 2.4G/5G guest network
# 1. Give the 2.4G network your desired SSID
# 2. Set network authentication to WPA2/WPA3-personal
# 3. Set your desired network password
# 4. Repeat steps 1-3 for the 5G network
#
# Guest network #1 will be assigned to VLAN 100
#
# Guest network #2 will be assigned to VLAN 200
#
# The WAN port of each ASUS AP must be connected to the Unifi Cloud Gateway router. It is assumed that the ASUS
# interfaces are as follows:
# eth0 => WAN port
# eth1~4 => 1 gbps LAN ports 4~1, they're numerically reversed
# eth5 => 2.5 gbps LAN port
# eth6 => main network WiFi 2.4G
# eth7 => main network WiFi 5G
# wl0.1 through wl0.3 => WiFi 2.4G guest networks 1 thru 3
# wl1.1 through wl1.3 => WiFi 5G guest networks 1 thru 3
# Note that any of ports eth0 through eth5 can be used to connect the AP to the Unifi router. You must modify the VLAN
# creation commands below to match your physical hookup.
#
# If a network switch is used between the ASUS AP and the Unifi Cloud Gateway router, the VLAN traffic must pass through properly.
# 1. Some unmanaged switches will pass the VLAN packets. Others will not. Buy a new switch if yours does not.
# 2. Managed switches will likely need to programmed to pass the guest network VLANs. The programming steps are
# specific to each manufacturer's switch.
#
# Instructions for ASUS AP via SSH:
# 1. Copy this script to a file named "Unifi-AP-VLAN.sh" in the directory "/jffs/scripts/" on the ASUS AP.
# a. This can be done by copying the script from a PC to a memory stick and then transferring the memory
# stick to the ASUS AP. Make sure that the file has Unix-style line endings.
# b. Or you can create the file directly in the ASUS AP using a text editor.
# c. Issue the command "chmod 0755 Unifi-AP-VLAN.sh" after saving the script file to "jffs/scripts".
# 2. In the 'services-start' file, add the following line: "/jffs/scripts/Unifi-AP-VLAN.sh"
# 3. Reboot the AP.
#
# Start of script commands to create isolated guest network on ASUS router AP.
# identify script in log
logger -t "Unifi-AP-VLAN" -p 4 "Setting up guest network VLANs"
# Remove GN#1 2.4G and GN#2 2.4G/5G interfaces from current bridge
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2
# Create VLAN 100 and VLAN 200 then link to port used to connect AP to main router (change "eth0" to whatever port you use)
ip link add link eth0 name vlan100 type vlan id 100
ip link set vlan100 up
ip link add link eth0 name vlan200 type vlan id 200
ip link set vlan200 up
# Create new bridges, one for each VLAN
brctl addbr br1
brctl addbr br2
# Add GN#1 2.4G and GN#2 2.4G/5G interfaces to new bridges
brctl addif br1 vlan100
brctl addif br1 wl0.1
brctl addif br2 vlan200
brctl addif br2 wl0.2
brctl addif br2 wl1.2
# Turn on the new bridges
ip link set br1 up
ip link set br2 up
# Create names in NVRAM
nvram set lan1_ifnames="wl0.1 vlan100"
nvram set lan1_ifname="br1"
nvram set br1_ifnames="wl0.1 vlan100"
nvram set br1_ifname="br1"
nvram set lan2_ifnames="wl0.2 wl1.2 vlan200"
nvram set lan2_ifname="br2"
nvram set br2_ifnames="wl0.2 wl1.2 vlan200"
nvram set br2_ifname="br2"
# eapd reads config from these (no need to set lan_ifname since it's already there)
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth7 eth0"
# restart eapd
killall eapd
eapd
