Using Asus routers as VLAN-capable APs

[agbommarito]

For some time now, I've been trying to "harden" my home network with fully isolated IOT and Guest networks using VLANs. I have two RT-AX86Us; one is the router and the other is either a mesh node or an AP. When the second RT-AX86U is setup as an AP, I use a script posted by Maxbraketorque (https://www.snbforums.com/threads/s...st-networks-on-asus-routers-in-ap-mode.84673/). Neither the mesh nor AP route is fully satisfying to me. Both are limited to guest network #1, so I can't have both an IOT and Guest network. The network map, client list and wireless log seem to be buggy in either case.

I considered getting rid of the RT-AX86Us and buying Pro or ExpertWifi equipment. But neither of those seem to be fully developed yet as regards to their VLAN or SDN support. Plus buying two of those types of equipment would be rather pricey.

I had some prior experience with a Ubiquiti EdgeRouter, and that device was very capable. But setting up some things required using the CLI, which was somewhat arcane. This past summer, Ubiquiti released some new devices called Unifi Cloud Gateways. The Cloud Gateway Ultra costs $130. So I bought one with the thought of using my two RT-AX86Us as APs. I know that purchasing Ubiquiti APs would make things easy, but I didn't want to cough up another $500 or so.

I've got everything working to my satisfaction now. The two RT-AX86Us are setup as APs, using a modified script that sets up guest network #1 2.4G as an IOT VLAN network and guest network #2 2.4G/5G as a fully isolated guest network. That script is shown below. The Unifi setup was done with hints provided by this YouTube video (

).

There is one small issue that I'm asking for ideas on how to fix. There is a race condition on power-up between the time the RT-AX86U radios turn-on and the time my script sets up the two needed VLANs. During this time, Wi-Fi clients can make a DHCP request that goes to the Unifi router as untagged traffic. That gets them assigned to the trusted network. Eventually, things self-correct. But until they do, network security is compromised.

The script runs by means of the services-start custom script which is triggered after the radios are operational. I've tried using the service-event custom script to run before the radios get turned on, but that event never seems to trigger. I've looked over the router source code but have come up blank with ideas.

Does anyone have any suggestions on things to try?

Here's the script I'm using:

#!/bin/sh

#

# Script to setup guest networks in ASUS routers in AP mode for use as APs on a Unifi Cloud Gateway router

#

# This script is based on previous work:

#

# Original script by Jimmy-Z is here:        https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4

#

# Modification by Eric Lieb is here:        https://www.snbforums.com/threads/ac86u-vlan-tagging-with-merlinwrt.84508

#

# Modification by Maxbraketorque is here:    https://www.snbforums.com/threads/script-to-enable-isolated-guest-networks-on-asus-routers-in-ap-mode.84673

#

# The ASUS routers should be running Merlin firmware.

# Factory reset the routers then setup in AP mode.

# Make sure that custom scripts and SSH access are enabled.

#

# Setup Guest network #1 for use as a 2.4G IOT network

#    1. Give the 2.4G network your desired SSID

#    2. Set network authentication to WPA2-Personal

#    3. Set your desired network password

#    4. Set "Guest network on AiMesh" to "Router only"

#    5. Leave 5G network disabled

#

# Setup Guest network #2 for use as a 2.4G/5G guest network

#    1. Give the 2.4G network your desired SSID

#    2. Set network authentication to WPA2/WPA3-personal

#    3. Set your desired network password

#    4. Repeat steps 1-3 for the 5G network

#

# Guest network #1 will be assigned to VLAN 100

#

# Guest network #2 will be assigned to VLAN 200

#

# The WAN port of each ASUS AP must be connected to the Unifi Cloud Gateway router.  It is assumed that the ASUS

# interfaces are as follows:

#       eth0            => WAN port

#       eth1~4            => 1 gbps LAN ports 4~1, they're numerically reversed

#       eth5            => 2.5 gbps LAN port

#       eth6            => main network WiFi 2.4G

#       eth7            => main network WiFi 5G

#       wl0.1 through wl0.3 => WiFi 2.4G guest networks 1 thru 3

#       wl1.1 through wl1.3 => WiFi 5G   guest networks 1 thru 3

# Note that any of ports eth0 through eth5 can be used to connect the AP to the Unifi router.  You must modify the VLAN

# creation commands below to match your physical hookup.

#

# If a network switch is used between the ASUS AP and the Unifi Cloud Gateway router, the VLAN traffic must pass through properly.

#       1. Some unmanaged switches will pass the VLAN packets.  Others will not.  Buy a new switch if yours does not.

#       2. Managed switches will likely need to programmed to pass the guest network VLANs.  The programming steps are

#       specific to each manufacturer's switch.

#

# Instructions for ASUS AP via SSH:

#    1. Copy this script to a file named "Unifi-AP-VLAN.sh" in the directory "/jffs/scripts/" on the ASUS AP.

#       a. This can be done by copying the script from a PC to a memory stick and then transferring the memory

#          stick to the ASUS AP.  Make sure that the file has Unix-style line endings.

#       b. Or you can create the file directly in the ASUS AP using a text editor.

#          c. Issue the command "chmod 0755 Unifi-AP-VLAN.sh" after saving the script file to "jffs/scripts".

#       2. In the 'services-start' file, add the following line: "/jffs/scripts/Unifi-AP-VLAN.sh"

#       3. Reboot the AP.

#





# Start of script commands to create isolated guest network on ASUS router AP.





# identify script in log

logger -t "Unifi-AP-VLAN" -p 4 "Setting up guest network VLANs"



# Remove GN#1 2.4G and GN#2 2.4G/5G interfaces from current bridge

brctl delif br0 wl0.1

brctl delif br0 wl0.2

brctl delif br0 wl1.2



# Create VLAN 100 and VLAN 200 then link to port used to connect AP to main router (change "eth0" to whatever port you use)

ip link add link eth0 name vlan100 type vlan id 100

ip link set vlan100 up

ip link add link eth0 name vlan200 type vlan id 200

ip link set vlan200 up



# Create new bridges, one for each VLAN

brctl addbr br1

brctl addbr br2



# Add GN#1 2.4G and GN#2 2.4G/5G interfaces to new bridges

brctl addif br1 vlan100

brctl addif br1 wl0.1

brctl addif br2 vlan200

brctl addif br2 wl0.2

brctl addif br2 wl1.2



# Turn on the new bridges

ip link set br1 up

ip link set br2 up



# Create names in NVRAM

nvram set lan1_ifnames="wl0.1 vlan100"

nvram set lan1_ifname="br1"

nvram set br1_ifnames="wl0.1 vlan100"

nvram set br1_ifname="br1"

nvram set lan2_ifnames="wl0.2 wl1.2 vlan200"

nvram set lan2_ifname="br2"

nvram set br2_ifnames="wl0.2 wl1.2 vlan200"

nvram set br2_ifname="br2"



# eapd reads config from these (no need to set lan_ifname since it's already there)

nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth7 eth0"



# restart eapd

killall eapd

eapd

 

[agbommarito]

After some more searching in the forum, I found the solution. It was to turn off the radios at the start of the script and turn them back on at the end.

Here's the updated code:

#!/bin/sh
#
# Script to setup guest networks in ASUS routers in AP mode for use as APs on a Unifi Cloud Gateway router
#
# This script is based on previous work:
#
# Original script by Jimmy-Z is here:        https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
#
# Modification by Eric Lieb is here:        https://www.snbforums.com/threads/ac86u-vlan-tagging-with-merlinwrt.84508
#
# Modification by Maxbraketorque is here:    https://www.snbforums.com/threads/script-to-enable-isolated-guest-networks-on-asus-routers-in-ap-mode.84673
#
# The ASUS routers should be running Merlin firmware.
# Factory reset the routers then setup in AP mode.
# Make sure that custom scripts and SSH access are enabled.
#
# Setup Guest network #1 for use as a 2.4G IOT network
#    1. Give the 2.4G network your desired SSID
#    2. Set network authentication to WPA2-Personal
#    3. Set your desired network password
#    4. Set "Guest network on AiMesh" to "Router only"
#    5. Leave 5G network disabled
#
# Setup Guest network #2 for use as a 2.4G/5G guest network
#    1. Give the 2.4G network your desired SSID
#    2. Set network authentication to WPA2/WPA3-personal
#    3. Set your desired network password
#    4. Repeat steps 1-3 for the 5G network
#
# Guest network #1 will be assigned to VLAN 100
#
# Guest network #2 will be assigned to VLAN 200
#
# The WAN port of each ASUS AP must be connected to the Unifi Cloud Gateway router.  It is assumed that the ASUS
# interfaces are as follows:
#       eth0            => WAN port
#       eth1~4            => 1 gbps LAN ports 4~1, they're numerically reversed
#       eth5            => 2.5 gbps LAN port
#       eth6            => main network WiFi 2.4G
#       eth7            => main network WiFi 5G
#       wl0.1 through wl0.3 => WiFi 2.4G guest networks 1 thru 3
#       wl1.1 through wl1.3 => WiFi 5G   guest networks 1 thru 3
# Note that any of ports eth0 through eth5 can be used to connect the AP to the Unifi router.  You must modify the VLAN
# creation commands below to match your physical hookup.
#
# If a network switch is used between the ASUS AP and the Unifi Cloud Gateway router, the VLAN traffic must pass through properly.
#       1. Some unmanaged switches will pass the VLAN packets.  Others will not.  Buy a new switch if yours does not.
#       2. Managed switches will likely need to programmed to pass the guest network VLANs.  The programming steps are
#       specific to each manufacturer's switch.
#
# Instructions for ASUS AP via SSH:
#    1. Copy this script to a file named "Unifi-AP-VLAN.sh" in the directory "/jffs/scripts/" on the ASUS AP.
#       a. This can be done by copying the script from a PC to a memory stick and then transferring the memory
#          stick to the ASUS AP.  Make sure that the file has Unix-style line endings.
#       b. Or you can create the file directly in the ASUS AP using a text editor.
#          c. Issue the command "chmod 0755 Unifi-AP-VLAN.sh" after saving the script file to "jffs/scripts".
#       2. In the 'services-start' file, add the following line: "/jffs/scripts/Unifi-AP-VLAN.sh"
#       3. Reboot the AP.
#


# Start of script commands to create isolated guest network on ASUS router AP.


# identify script in log
logger -t "Unifi-AP-VLAN" -p 4 "Setting up guest network VLANs"

# turn off the radios to force all clients to deauthorize
wl -i eth6 down
wl -i eth7 down

# sleep to allow deauthorize to finish
sleep 1

# Remove GN#1 2.4G and GN#2 2.4G/5G interfaces from current bridge
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2

# Create VLAN 100 and VLAN 200 then link to port used to connect AP to main router (change "eth0" to whatever port you use)
ip link add link eth0 name vlan100 type vlan id 100
ip link set vlan100 up
ip link add link eth0 name vlan200 type vlan id 200
ip link set vlan200 up

# Create new bridges, one for each VLAN
brctl addbr br1
brctl addbr br2

# Add GN#1 2.4G and GN#2 2.4G/5G interfaces to new bridges
brctl addif br1 vlan100
brctl addif br1 wl0.1
brctl addif br2 vlan200
brctl addif br2 wl0.2
brctl addif br2 wl1.2

# Turn on the new bridges
ip link set br1 up
ip link set br2 up

# Create names in NVRAM
nvram set lan1_ifnames="wl0.1 vlan100"
nvram set lan1_ifname="br1"
nvram set br1_ifnames="wl0.1 vlan100"
nvram set br1_ifname="br1"
nvram set lan2_ifnames="wl0.2 wl1.2 vlan200"
nvram set lan2_ifname="br2"
nvram set br2_ifnames="wl0.2 wl1.2 vlan200"
nvram set br2_ifname="br2"

# eapd reads config from these (no need to set lan_ifname since it's already there)
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth7 eth0"

# restart eapd
killall eapd
eapd

# sleep to allow any running scripts to finish
sleep 5

# turn on the radios
wl -i eth6 up
wl -i eth7 up

 

[Tech9]

Very nice and thanks for sharing!

Useful not only for Ubiquiti gateways, but also for appliances running pfSense/OPNsense, Firewalla, etc.

 

[jata]

Thanks. This is great work and I’m going to try it with my opnsense firewall with mixed UniFi and Asus APs.

I already have my UniFi AP working with opnsense and vlan so I will just need to update this all to match the 100 and 200 tags.

Is there a command I can run to see the port config of my Asus APs? They are both rt-AX58U. So no 2.5G port

 

[agbommarito]

Thanks. This is great work and I’m going to try it with my opnsense firewall with mixed UniFi and Asus APs.

I already have my UniFi AP working with opnsense and vlan so I will just need to update this all to match the 100 and 200 tags.

Is there a command I can run to see the port config of my Asus APs? They are both rt-AX58U. So no 2.5G port

I don't know of a particular command to use. But if you just use the WAN port to connect the Asus device to your opnsense box it shouldn't really matter. As far as I know, eth0 is always the WAN port on all Asus devices.

You would have to make a few changes to the script. Near the top is a section to turn off the radios and a similar section near the bottom to turn the radios back on. In both sections, change "eth6" to "eth5" and "eth7" to "eth6".

Several lines up from the bottom reads:

nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth7 eth0"

Remove "eth7" from this line.

The VLAN IDs of 100 and 200 are completely arbitrary. You can change them to whatever you need for your setup.

 

[Tech9]

Is there a command I can run

ifconfig in ssh?

 

[jata]

Thank you for this. So the VLAN IDs are not hard coded in the Asus APs - that's great.

I also have a RT-AX86S in my setup - totally forgot about it! This also does not have a 2.5g port so can I assume that both RT-AX58U and RT-AX86S have the same port configs?

I will check using ifconfig. Thanks @Tech9

 

[dave14305]

As far as I know, eth0 is always the WAN port on all Asus devices.

The AX58U uses eth4, oddly enough.

 

[jata]

From my setup so far, I am testing a modified script on my RT-AX86S. I'll work on RT-AX58U after I get it all working.

guest network 2 (called vlan3) is working and clients connecting to this AP/SSID are getting an IP address from my opnsense router.
guest network 1 (called vlan2) with both 2.4g and 5g does not work. Tries to connect but no IP is assigned. I see the client connecting in the Asus wireless log so it is very close.

I have confirmed the opnsense config is fine as this vlan network is working fine when i connect a client via my Unifi AP.

Anything obviously wrong with my script?

#!/bin/sh

# Script to setup guest networks in ASUS routers in AP mode for use as APs on a Unifi Cloud Gateway router
#
# This script is based on previous work:
#
# Original script by Jimmy-Z is here:        https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
#
# Modification by Eric Lieb is here:        https://www.snbforums.com/threads/ac86u-vlan-tagging-with-merlinwrt.84508
#
# Modification by Maxbraketorque is here:    https://www.snbforums.com/threads/script-to-enable-isolated-guest-networks-on-asus-routers-in-ap-mode.84673
#
# The ASUS routers should be running Merlin firmware.
# Factory reset the routers then setup in AP mode.
# Make sure that custom scripts and SSH access are enabled.
#
# Setup Guest network #1 for use as a 2.4G IOT network
#    1. Give the 2.4G network your desired SSID
#    2. Set network authentication to WPA2-Personal
#    3. Set your desired network password
#    4. Set "Guest network on AiMesh" to "Router only"
#    5. Leave 5G network disabled
#
# Setup Guest network #2 for use as a 2.4G/5G guest network
#    1. Give the 2.4G network your desired SSID
#    2. Set network authentication to WPA2/WPA3-personal
#    3. Set your desired network password
#    4. Repeat steps 1-3 for the 5G network
#
# Guest network #1 will be assigned to VLAN 100
#
# Guest network #2 will be assigned to VLAN 200
#
# The WAN port of each ASUS AP must be connected to the Unifi Cloud Gateway router.  It is assumed that the ASUS
# Changed for RT-AX86 and RT-Ax58U as no 2.5G port
# interfaces are as follows:
#       eth0            => WAN port
#       eth1~4            => 1 gbps LAN ports 4~1, they're numerically reversed
#       XXX eth5            => 2.5 gbps LAN port (does not exist on my APs)
#       eth5            => main network WiFi 2.4G
#       eth6            => main network WiFi 5G
#       wl0.1 through wl0.3 => WiFi 2.4G guest networks 1 thru 3
#       wl1.1 through wl1.3 => WiFi 5G   guest networks 1 thru 3
# Note that any of ports eth0 through eth5 can be used to connect the AP to the Unifi router.  You must modify the VLAN
# creation commands below to match your physical hookup.
#
# If a network switch is used between the ASUS AP and the Unifi Cloud Gateway router, the VLAN traffic must pass through properly.
#       1. Some unmanaged switches will pass the VLAN packets.  Others will not.  Buy a new switch if yours does not.
#       2. Managed switches will likely need to programmed to pass the guest network VLANs.  The programming steps are
#       specific to each manufacturer's switch.
#
# Instructions for ASUS AP via SSH:
#    1. Copy this script to a file named "Unifi-AP-VLAN.sh" in the directory "/jffs/scripts/" on the ASUS AP.
#       a. This can be done by copying the script from a PC to a memory stick and then transferring the memory
#          stick to the ASUS AP.  Make sure that the file has Unix-style line endings.
#       b. Or you can create the file directly in the ASUS AP using a text editor.
#          c. Issue the command "chmod 0755 Unifi-AP-VLAN.sh" after saving the script file to "jffs/scripts".
#       2. In the 'services-start' file, add the following line: "/jffs/scripts/Unifi-AP-VLAN.sh"
#       3. Reboot the AP.
#


# Start of script commands to create isolated guest network on ASUS router AP.


# identify script in log
logger -t "asus-vlan-config" -p 4 "Setting up guest network VLANs"

# turn off the radios to force all clients to deauthorize
wl -i eth5 down
wl -i eth6 down

# sleep to allow deauthorize to finish
sleep 1
logger -t "asus-vlan-config" -p 4 "wifi radios turned off"

# Remove GN#1 2.4G/5G and GN#2 2.4G/5G interfaces from current bridge
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl1.1
brctl delif br0 wl1.2

# Create VLAN 100 and VLAN 200 then link to port used to connect AP to main router (change "eth0" to whatever port you use)
# changed vlan id to 2 and 3 to match opnsense/unifi setup
ip link add link eth0 name vlan2 type vlan id 2
ip link set vlan2 up
ip link add link eth0 name vlan3 type vlan id 3
ip link set vlan3 up

logger -t "asus-vlan-config" -p 4 "vlan config created"

# Create new bridges, one for each VLAN
brctl addbr br1
brctl addbr br2

# Add GN#1 2.4G/5G and GN#2 2.4G/5G interfaces to new bridges
brctl addif br1 vlan2
brctl addif br1 wl0.1
brctl addif br1 wl0.2
brctl addif br2 vlan3
brctl addif br2 wl0.2
brctl addif br2 wl1.2

# Turn on the new bridges
ip link set br1 up
ip link set br2 up

logger -t "asus-vlan-config" -p 4 "vlan config applied"

# Create names in NVRAM
nvram set lan1_ifnames="wl0.1 wl0.2 vlan2"
nvram set lan1_ifname="br1"
nvram set br1_ifnames="wl0.1 wl0.2 vlan2"
nvram set br1_ifname="br1"
nvram set lan2_ifnames="wl0.2 wl1.2 vlan3"
nvram set lan2_ifname="br2"
nvram set br2_ifnames="wl0.2 wl1.2 vlan3"
nvram set br2_ifname="br2"

# eapd reads config from these (no need to set lan_ifname since it's already there)
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

# restart eapd
killall eapd
eapd

# sleep to allow any running scripts to finish
sleep 5

logger -t "asus-vlan-config" -p 4 "vlan setup complete. restarting wifi"

# turn on the radios
wl -i eth5 up
wl -i eth6 up

sleep 2
logger -t "asus-vlan-config" -p 4 "vlan script complete. wifi restarted"

 

[dave14305]

Anything obviously wrong with my script?

You have wl0.2 in both bridges?

 

[jata]

Thanks. Typo. Spotted myself just now while looking through again. Now vlan working on both so GN1 and GN2.

You mentioned above that RT-AX58 uses eth4 for WAN so I will work on this AP next using eth4 instead of eth0. Thanks for that info too.

correct and working script below.

#!/bin/sh

# Script to setup guest networks in ASUS routers in AP mode for use as APs on a Unifi Cloud Gateway router
#
# This script is based on previous work:
#
# Original script by Jimmy-Z is here:        https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
#
# Modification by Eric Lieb is here:        https://www.snbforums.com/threads/ac86u-vlan-tagging-with-merlinwrt.84508
#
# Modification by Maxbraketorque is here:    https://www.snbforums.com/threads/script-to-enable-isolated-guest-networks-on-asus-routers-in-ap-mode.84673
#
# The ASUS routers should be running Merlin firmware.
# Factory reset the routers then setup in AP mode.
# Make sure that custom scripts and SSH access are enabled.
#
# Setup Guest network #1 for use as a 2.4G IOT network
#    1. Give the 2.4G network your desired SSID
#    2. Set network authentication to WPA2-Personal
#    3. Set your desired network password
#    4. Set "Guest network on AiMesh" to "Router only"
#    5. Leave 5G network disabled
#
# Setup Guest network #2 for use as a 2.4G/5G guest network
#    1. Give the 2.4G network your desired SSID
#    2. Set network authentication to WPA2/WPA3-personal
#    3. Set your desired network password
#    4. Repeat steps 1-3 for the 5G network
#
# Guest network #1 will be assigned to VLAN 100
#
# Guest network #2 will be assigned to VLAN 200
#
# The WAN port of each ASUS AP must be connected to the Unifi Cloud Gateway router.  It is assumed that the ASUS
# Changed for RT-AX86 and RT-Ax58U as no 2.5G port
# interfaces are as follows:
#       eth0            => WAN port
#       eth1~4            => 1 gbps LAN ports 4~1, they're numerically reversed
#       XXX eth5            => 2.5 gbps LAN port (does not exist on my APs)
#       eth5            => main network WiFi 2.4G
#       eth6            => main network WiFi 5G
#       wl0.1 through wl0.3 => WiFi 2.4G guest networks 1 thru 3
#       wl1.1 through wl1.3 => WiFi 5G   guest networks 1 thru 3
# Note that any of ports eth0 through eth5 can be used to connect the AP to the Unifi router.  You must modify the VLAN
# creation commands below to match your physical hookup.
#
# If a network switch is used between the ASUS AP and the Unifi Cloud Gateway router, the VLAN traffic must pass through properly.
#       1. Some unmanaged switches will pass the VLAN packets.  Others will not.  Buy a new switch if yours does not.
#       2. Managed switches will likely need to programmed to pass the guest network VLANs.  The programming steps are
#       specific to each manufacturer's switch.
#
# Instructions for ASUS AP via SSH:
#    1. Copy this script to a file named "Unifi-AP-VLAN.sh" in the directory "/jffs/scripts/" on the ASUS AP.
#       a. This can be done by copying the script from a PC to a memory stick and then transferring the memory
#          stick to the ASUS AP.  Make sure that the file has Unix-style line endings.
#       b. Or you can create the file directly in the ASUS AP using a text editor.
#          c. Issue the command "chmod 0755 Unifi-AP-VLAN.sh" after saving the script file to "jffs/scripts".
#       2. In the 'services-start' file, add the following line: "/jffs/scripts/Unifi-AP-VLAN.sh"
#       3. Reboot the AP.
#


# Start of script commands to create isolated guest network on ASUS router AP.


# identify script in log
logger -t "asus-vlan-config" -p 4 "Setting up guest network VLANs"

# turn off the radios to force all clients to deauthorize
wl -i eth5 down
wl -i eth6 down

# sleep to allow deauthorize to finish
sleep 1
logger -t "asus-vlan-config" -p 4 "wifi radios turned off"

# Remove GN#1 2.4G/5G and GN#2 2.4G/5G interfaces from current bridge
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl1.1
brctl delif br0 wl1.2

# Create VLAN 100 and VLAN 200 then link to port used to connect AP to main router (change "eth0" to whatever port you use)
# changed vlan id to 2 and 3 to match opnsense/unifi setup
ip link add link eth0 name vlan2 type vlan id 2
ip link set vlan2 up
ip link add link eth0 name vlan3 type vlan id 3
ip link set vlan3 up

logger -t "asus-vlan-config" -p 4 "vlan config created"

# Create new bridges, one for each VLAN
brctl addbr br1
brctl addbr br2

# Add GN#1 2.4G/5G and GN#2 2.4G/5G interfaces to new bridges
brctl addif br1 vlan2
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br2 vlan3
brctl addif br2 wl0.2
brctl addif br2 wl1.2

# Turn on the new bridges
ip link set br1 up
ip link set br2 up

logger -t "asus-vlan-config" -p 4 "vlan config applied"

# Create names in NVRAM
nvram set lan1_ifnames="wl0.1 wl1.1 vlan2"
nvram set lan1_ifname="br1"
nvram set br1_ifnames="wl0.1 wl1.1 vlan2"
nvram set br1_ifname="br1"
nvram set lan2_ifnames="wl0.2 wl1.2 vlan3"
nvram set lan2_ifname="br2"
nvram set br2_ifnames="wl0.2 wl1.2 vlan3"
nvram set br2_ifname="br2"

# eapd reads config from these (no need to set lan_ifname since it's already there)
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

# restart eapd
killall eapd
eapd

# sleep to allow any running scripts to finish
sleep 5

logger -t "asus-vlan-config" -p 4 "vlan setup complete. restarting wifi"

# turn on the radios
wl -i eth5 up
wl -i eth6 up

sleep 2
logger -t "asus-vlan-config" -p 4 "vlan script complete. wifi restarted"

 

[agbommarito]

Thanks. Typo. Spotted myself just now while looking through again. Now vlan working on both so GN1 and GN2.

You mentioned above that RT-AX58 uses eth4 for WAN so I will work on this AP next using eth4 instead of eth0. Thanks for that info too.

correct and working script below.

#!/bin/sh

# Script to setup guest networks in ASUS routers in AP mode for use as APs on a Unifi Cloud Gateway router
#
# This script is based on previous work:
#
# Original script by Jimmy-Z is here:        https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
#
# Modification by Eric Lieb is here:        https://www.snbforums.com/threads/ac86u-vlan-tagging-with-merlinwrt.84508
#
# Modification by Maxbraketorque is here:    https://www.snbforums.com/threads/script-to-enable-isolated-guest-networks-on-asus-routers-in-ap-mode.84673
#
# The ASUS routers should be running Merlin firmware.
# Factory reset the routers then setup in AP mode.
# Make sure that custom scripts and SSH access are enabled.
#
# Setup Guest network #1 for use as a 2.4G IOT network
#    1. Give the 2.4G network your desired SSID
#    2. Set network authentication to WPA2-Personal
#    3. Set your desired network password
#    4. Set "Guest network on AiMesh" to "Router only"
#    5. Leave 5G network disabled
#
# Setup Guest network #2 for use as a 2.4G/5G guest network
#    1. Give the 2.4G network your desired SSID
#    2. Set network authentication to WPA2/WPA3-personal
#    3. Set your desired network password
#    4. Repeat steps 1-3 for the 5G network
#
# Guest network #1 will be assigned to VLAN 100
#
# Guest network #2 will be assigned to VLAN 200
#
# The WAN port of each ASUS AP must be connected to the Unifi Cloud Gateway router.  It is assumed that the ASUS
# Changed for RT-AX86 and RT-Ax58U as no 2.5G port
# interfaces are as follows:
#       eth0            => WAN port
#       eth1~4            => 1 gbps LAN ports 4~1, they're numerically reversed
#       XXX eth5            => 2.5 gbps LAN port (does not exist on my APs)
#       eth5            => main network WiFi 2.4G
#       eth6            => main network WiFi 5G
#       wl0.1 through wl0.3 => WiFi 2.4G guest networks 1 thru 3
#       wl1.1 through wl1.3 => WiFi 5G   guest networks 1 thru 3
# Note that any of ports eth0 through eth5 can be used to connect the AP to the Unifi router.  You must modify the VLAN
# creation commands below to match your physical hookup.
#
# If a network switch is used between the ASUS AP and the Unifi Cloud Gateway router, the VLAN traffic must pass through properly.
#       1. Some unmanaged switches will pass the VLAN packets.  Others will not.  Buy a new switch if yours does not.
#       2. Managed switches will likely need to programmed to pass the guest network VLANs.  The programming steps are
#       specific to each manufacturer's switch.
#
# Instructions for ASUS AP via SSH:
#    1. Copy this script to a file named "Unifi-AP-VLAN.sh" in the directory "/jffs/scripts/" on the ASUS AP.
#       a. This can be done by copying the script from a PC to a memory stick and then transferring the memory
#          stick to the ASUS AP.  Make sure that the file has Unix-style line endings.
#       b. Or you can create the file directly in the ASUS AP using a text editor.
#          c. Issue the command "chmod 0755 Unifi-AP-VLAN.sh" after saving the script file to "jffs/scripts".
#       2. In the 'services-start' file, add the following line: "/jffs/scripts/Unifi-AP-VLAN.sh"
#       3. Reboot the AP.
#


# Start of script commands to create isolated guest network on ASUS router AP.


# identify script in log
logger -t "asus-vlan-config" -p 4 "Setting up guest network VLANs"

# turn off the radios to force all clients to deauthorize
wl -i eth5 down
wl -i eth6 down

# sleep to allow deauthorize to finish
sleep 1
logger -t "asus-vlan-config" -p 4 "wifi radios turned off"

# Remove GN#1 2.4G/5G and GN#2 2.4G/5G interfaces from current bridge
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl1.1
brctl delif br0 wl1.2

# Create VLAN 100 and VLAN 200 then link to port used to connect AP to main router (change "eth0" to whatever port you use)
# changed vlan id to 2 and 3 to match opnsense/unifi setup
ip link add link eth0 name vlan2 type vlan id 2
ip link set vlan2 up
ip link add link eth0 name vlan3 type vlan id 3
ip link set vlan3 up

logger -t "asus-vlan-config" -p 4 "vlan config created"

# Create new bridges, one for each VLAN
brctl addbr br1
brctl addbr br2

# Add GN#1 2.4G/5G and GN#2 2.4G/5G interfaces to new bridges
brctl addif br1 vlan2
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br2 vlan3
brctl addif br2 wl0.2
brctl addif br2 wl1.2

# Turn on the new bridges
ip link set br1 up
ip link set br2 up

logger -t "asus-vlan-config" -p 4 "vlan config applied"

# Create names in NVRAM
nvram set lan1_ifnames="wl0.1 wl1.1 vlan2"
nvram set lan1_ifname="br1"
nvram set br1_ifnames="wl0.1 wl1.1 vlan2"
nvram set br1_ifname="br1"
nvram set lan2_ifnames="wl0.2 wl1.2 vlan3"
nvram set lan2_ifname="br2"
nvram set br2_ifnames="wl0.2 wl1.2 vlan3"
nvram set br2_ifname="br2"

# eapd reads config from these (no need to set lan_ifname since it's already there)
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

# restart eapd
killall eapd
eapd

# sleep to allow any running scripts to finish
sleep 5

logger -t "asus-vlan-config" -p 4 "vlan setup complete. restarting wifi"

# turn on the radios
wl -i eth5 up
wl -i eth6 up

sleep 2
logger -t "asus-vlan-config" -p 4 "vlan script complete. wifi restarted"

What port on the back of your RT-AX58U is connected to your opnsense box? I thought that the connected port should match the one used in the VLAN creation "ip link" commands. If you are using the WAN port and it is eth4 as dave14305 pointed out, then the internal port switch must be passing the VLAN tagged traffic from eth0 to eth4. And if that is the case, it doesn't matter which port is used in the "ip link" commands.

 

[jata]

I have two Asus APs. One ax86s with wan on eth0 and a ax58u with wan on eth4.

So I just updated the script to eth4 on the AX58U.

All working perfectly across my network with 3x APs mixed Asus and UniFi.

So thanks for sharing this. Works great.

 

[jata]

What port on the back of your RT-AX58U is connected to your opnsense box?

Sorry missed this question. I have all my asus APs wired via the wan port (so eth0 on ax86u and eth4 on ax58u).

 

[agbommarito]

Attached is an updated script used to setup an Asus router as a VLAN-capable access point for use with a non-Asus router such as Unifi, pfSense, OPNsense, Firewalla, etc.

Changes were done to try and make it more versatile and easier to use.

One of the hardest things to figure out on the Asus router is what are the port names. You could do this manually by using SSH and the "ip a" command while inserting an active ethernet cable into only one port on the back of the router at a time while leaving all other ports disconnected. An excerpt of what you'd see is something like:

13: eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
14: eth1: <NO-CARRIER,BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff

In this example "eth0" is active, marked by "BROADCAST". And "eth1" is inactive, marked by "NO-CARRIER". All other "eth" ports should also be marked by "NO-CARRIER".

The script now attempts to determine the port names automatically. It can only determine the WAN port name, which you must use to connect the Asus AP to the non-Asus router. If you want to use a different port you must manually override the WANport variable in the script configuration section.

The suggested steps to use the script are:

1) Factory reset your router and set it up as an access point.
2) Enable the guest networks that you want to use. In my case, I use guest network #1 2.4G for IOT devices while leaving 5G disabled. And I use guest network #2 both 2.4G and 5G for a fully isolated guest network.
3) Run the script in SSH with only a single command line parameter. The value of the parameter doesn't matter. This will display the results of the auto-determination, along with all the commands that will be issued to setup the Asus AP. No changes to the Asus AP are done.
4) If you are satisfied with what you see, rerun the script without any command line parameters. This will setup the VLANs with guest network #1 having a VLAN ID of 100 and guest network #2 having a VLAN ID of 200.
5) If you require different VLAN IDs, you can run the script with two command line parameters. The first will be the VLAN ID of guest network #1 and the second the VLAN ID of guest network #2.

You can also edit the configuration section near the beginning of the script to override parameters. Here is what that section looks like:

###################################################
# start of user-modifiable configuration parameters
#

# default VLAN ID of 100 for guest network #1, this can also be overridden on the script command line
G1_vlanID="100"

# default VLAN ID of 200 for guest network #2, this can also be overridden on the script command line
G2_vlanID="200"

# the four possible guest networks (guest network #1 2.4G and 5G, guest network #2 2.4G and 5G)
#
# default value of 1 means setup a VLAN for this network if it is configured in Asus GUI
#
# change value to 0 to never setup a VLAN for this guest network
#
G1_24_enabled=1 # guest network #1 2.4G
G1_5_enabled=1 # guest network #1 5G
G2_24_enabled=1 # guest network #2 2.4G
G2_5_enabled=1 # guest network #2 5G

# port interface configuration
#
# the default values of "eth?" direct the script to try to auto-determine the correct
# interfaces from the Asus router NVRAM values
#
# replace the "eth?" will a real interface number to override the auto-determination
#
WANport="eth?" # WAN interface port
radio24="eth?" # 2.4G radio interface port
radio5="eth?" # 5G radio interface port

# these values are not auto-determined, if your router doesn't match these you must modify them by hand
W24="wl0" # 2.4G radio interface name
W5="wl1" # 5G radio interface name
G1_24="wl0.1" # guest network #1 2.4G interface name
G1_5="wl1.1" # guest network #1 5G interface name
G2_24="wl0.2" # guest network #2 2.4G interface name
G2_5="wl1.2" # guest network #2 5G interface name

#
# end of user-modifiable configuration parameters
###################################################

The script is only valid for use immediately after an Asus AP reboot. Read the comments at the beginning of the script to see how to automate the running of the script after reboots.

Certain changes that you might make to the Asus AP via the GUI sometimes result in a restart of the wireless radios. When this happens, the Asus code can invalidate what the script does. A good rule of thumb is to always reboot the Asus AP after any GUI changes that might affect the radios. I don't believe this is too onerous of a requirement. Once the Asus AP is setup, you really shouldn't have to mess with it. The non-Asus external router is what you'll be using.

The WAN port auto-determination has been tested and verified to work on an RT-AX86U, an RT-AX86S, an RT-AX58 and an RT-AX3000. It was tested on a MIPS based RT-N66U and doesn't work, though the VLAN setup code doesn't work on that old router either.

Special thanks to forum user jata for his valuable suggestions and help in testing and debugging this script.