Using VLANs for a 2nd Access Point with home & guest wifi

[Jack Yaz]

Am I right in thinking that I can create multiple VLANs using this approach, assuming I use the relevant vconfig and ifconfig to bring the vlans up?

/usr/bin/logger "========= ROBOCFG"
# lan ports 1-4 assigned to vlan1 when untagged, port 8 is the CPU
robocfg vlan 1 ports "1 2 3 4 8t"
# or all the ports can carry vlan4 if tagged as such
robocfg vlan 4 ports "1t 2t 3t 4t 8t"
robocfg vlan 5 ports "1t 2t 3t 4t 8t"
robocfg vlan 6 ports "1t 2t 3t 4t 8t"
(and so on)

 

[schmerg]

Am I right in thinking that I can create multiple VLANs using this approach, assuming I use the relevant vconfig and ifconfig to bring the vlans up?

/usr/bin/logger "========= ROBOCFG"
# lan ports 1-4 assigned to vlan1 when untagged, port 8 is the CPU
robocfg vlan 1 ports "1 2 3 4 8t"
# or all the ports can carry vlan4 if tagged as such
robocfg vlan 4 ports "1t 2t 3t 4t 8t"
robocfg vlan 5 ports "1t 2t 3t 4t 8t"
robocfg vlan 6 ports "1t 2t 3t 4t 8t"
(and so on)

You should be able to do so... I think the script excludes a line about adding the interface to the bridge

brctl addif br0 vlan4

as this only has to be done once and then persists across reboots.. but my memory here is a little hazy.

The clause at the top of the script checks if the VLAN already exists within robocfg and then only executes if it's not already there (for when I was starting and stopping services manually as aprt of my experimentation etc)

robocfg show | grep -i vlan4 > /dev/null 2>&1 || \
(

so you could check each one individually (or put a bash for loop around the above etc).

--
Tim

 

[jamestx10]

Or you can give a lease time of "infinite" (see the above man page again) if you can't see what's going wrong... you can do this on a per machine basis even (ie leave the above line with a normal lease time of an hour, and then use something like this

dhcp-host=00:20:e0:3b:13:af,wap,infinite

So that works from the script point of view and the client shows the lease good until the year 2153 BUT it still hangs and sends the dnsmasq-dhcp request to the router around 20 min later.

 

[Jack Yaz]

So that works from the script point of view and the client shows the lease good until the year 2153 BUT it still hangs and sends the dnsmasq-dhcp request to the router around 20 min later.

Sounds like your client is doing it's own thing and ignoring DHCP settings. Could you screenshot the network adapter config, wonder if there's anything obvious that jumps out

 

[schmerg]

Sounds like your client is doing it's own thing and ignoring DHCP settings. Could you screenshot the network adapter config, wonder if there's anything obvious that jumps out

Which should work tho... what happens if the client joins the normal wifi (ie forgetting all the VLAN stuff)?

Does it re-request at 20 minutes?
Does the request get granted?
What encryption/other options have you got turned on for the two SSIDs ?

 

[jamestx10]

Sounds like your client is doing it's own thing and ignoring DHCP settings. Could you screenshot the network adapter config, wonder if there's anything obvious that jumps out

Not sure of a way to show the whole config. Anything you are looking for specifically?

 

[jamestx10]

Which should work tho... what happens if the client joins the normal wifi (ie forgetting all the VLAN stuff)?

Does it re-request at 20 minutes?
Does the request get granted?
What encryption/other options have you got turned on for the two SSIDs ?

It took 75 min on the LAN AP and did the same thing.

The SSIDs are configured the same other then the VLAN tag. WPA2, AES/CCMP

 

[schmerg]

It took 75 min on the LAN AP and did the same thing.

The SSIDs are configured the same other then the VLAN tag. WPA2, AES/CCMP

So after 75 minutes it was showing the same problem?
Sounds like a problem with wifi on that device.. you could try tweaking the various settings on the router under "Professional" (or hmmm... "Network Key Rotation Interval" defaults to 3600 seconds.. try setting that to 0 and see what happens maybe).

 

[niwmik]

I'm trying to get this to work with a RT-AC68U (ASUSWRT-Merlin 384.6) and a UniFi AP-AC-Pro. My dnsmasq.conf.add and nat-start files are exactly the same as the ones in post #3. I have the UniFi AP-AC-Pro plugged into port 4 of the RT-AC68U.

Looking at the router's log file, I see that the dhcp range for vlan 4 is added and nat-start script is executed. Running "robocfg show" command, I see that vlan4 is created.

1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8t
4: vlan4: 1t 2t 3t 4t 8t


On the UniFi AP-AC-Pro, I have a ssid INTERNAL that doesn't have a vlan tag. I have another ssid GUEST that has a vlan tag of 4.

Using an android tablet, I can access ssid INTERNAL. The problem is when I try to access ssid GUEST, I never get an i.p. from the router. I never see a DHCPREQUEST.

I then added the line "brctl addif br0 vlan4" after the line "ifconfig vlan4 192.168.4.1 netmask 255.255.255.0 up" thinking that was the reason why it was failing. I then was able to access ssid GUEST but it handed out the i.p. 192.168.1.x. and not 192.168.4.x. Then my entire network became unstable and I had to replace the router with a backup router. Looking at my unraid server log file, I see this line repeated:

Aug 11 14:23:18 Tower kernel: br0: received packet on eth0 with own address as source address (addr:40:8d:5c:99:99:c8, vlan:0)

Any ideas as why this is not working?

 

[schmerg]

I'm trying to get this to work with a RT-AC68U (ASUSWRT-Merlin 384.6) and a UniFi AP-AC-Pro. My dnsmasq.conf.add and nat-start files are exactly the same as the ones in post #3. I have the UniFi AP-AC-Pro plugged into port 4 of the RT-AC68U.
...snip...
Any ideas as why this is not working?

The fact INTERNAL was working but not GUEST looks consistent with the fact that the brctl command to add interface 4 to bridge 0 hadn't been run.
Now that "brctl addif br0 vlan4" only needs to be executed once as it seems to persist the setting across reboots.
So now that it's been run, I'd remove that line you added to the script, and reboot.

If you're still not getting IPs in the right range on GUEST, you can look at the /etc/dnsmasq.conf to see that the lines were added properly.
And post #40 has some suggestions as to getting dnsmasq to log what it's doing / dump statistics.

If all else fails, I came up with this by typing individual commands and seeing how everything responds, you could try that sort of approach too.
Me, I've replaced my N66U with an AC86U which doesn't support robocfg (the internal switch is not as documented it seems) so I'm having to ditch this approach and swap back to the small managed switch that I first tried, and I've managed to find a setup where that works for me.

Good luck with it..

 

[klingon888]

I'm trying to get this to work with a RT-AC68U (ASUSWRT-Merlin 384.6) and a UniFi AP-AC-Pro. My dnsmasq.conf.add and nat-start files are exactly the same as the ones in post #3. I have the UniFi AP-AC-Pro plugged into port 4 of the RT-AC68U.

Looking at the router's log file, I see that the dhcp range for vlan 4 is added and nat-start script is executed. Running "robocfg show" command, I see that vlan4 is created.

1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8t
4: vlan4: 1t 2t 3t 4t 8t

I was in same situation as you with the same Unifi-AC-PRO. For the AC68, you need 5t and not 8t. Also, most posts recommend using VLAN tag 100 as the lower ranges may get used by Asus.

robocfg vlan 1 ports "1 2 3 4 5t"
robocfg vlan 100 ports "1t 2t 3t 4t 5t" (assuming you're using vlan tag 100)

My setup:
nat-start:
#!/bin/sh
robocfg show | grep -i vlan100 > /dev/null 2>&1 || \
(
robocfg vlan 1 ports "1 2 3 4 5t"
robocfg vlan 100 ports "1t 2t 3t 4t 5t"

vconfig add eth0 100 || /usr/bin/logger "VLAN 100 already exists"

ifconfig vlan100 192.168.10.1 netmask 255.255.255.0 up

# I had to add this, else I get the "Dead loop on virtual device vlan100, fix it urgently" msgs in the logs
sleep 5
tc qdisc add dev vlan100 root pfifo
)


firewall-start:
#!/bin/sh
iptables -I FORWARD -i vlan100 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan100 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan100 -m state --state NEW -j DROP
iptables -I INPUT -i vlan100 -m state --state NEW -j DROP
iptables -I INPUT -i vlan100 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i vlan100 -p udp -m multiport --dport 53,67 -j ACCEPT

 

[niwmik]

I was in same situation as you with the same Unifi-AC-PRO. For the AC68, you need 5t and not 8t. Also, most posts recommend using VLAN tag 100 as the lower ranges may get used by Asus.

robocfg vlan 1 ports "1 2 3 4 5t"
robocfg vlan 100 ports "1t 2t 3t 4t 5t" (assuming you're using vlan tag 100)

My setup:
nat-start:
#!/bin/sh
robocfg show | grep -i vlan100 > /dev/null 2>&1 || \
(
robocfg vlan 1 ports "1 2 3 4 5t"
robocfg vlan 100 ports "1t 2t 3t 4t 5t"

vconfig add eth0 100 || /usr/bin/logger "VLAN 100 already exists"

ifconfig vlan100 192.168.10.1 netmask 255.255.255.0 up

# I had to add this, else I get the "Dead loop on virtual device vlan100, fix it urgently" msgs in the logs
sleep 5
tc qdisc add dev vlan100 root pfifo
)


firewall-start:
#!/bin/sh
iptables -I FORWARD -i vlan100 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan100 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan100 -m state --state NEW -j DROP
iptables -I INPUT -i vlan100 -m state --state NEW -j DROP
iptables -I INPUT -i vlan100 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i vlan100 -p udp -m multiport --dport 53,67 -j ACCEPT

Thanks, I'll give this a try. In regards to why I use 8T instead of 5T on my rt-ac68u, I believe it's because I have NAT Acceleration turned on based off of the info found at:

https://elatov.github.io/2017/04/revert-to-asus-wrt-from-dd-wrt-on-asus-rt-ac68u-router/

When I run "robocfg show", I get the following:

1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8t
4: vlan4: 1t 2t 3t 4t 8t

 

[kushwavez]

Thanks for this, I got it working on my AC56U.
Is there any way to use QoS on this VLAN? In GUI I don't have any infos related to the separated VLAN (with IP address 192.168.2.1), no clients showing up. Now this is not a problem for me, I can monitor them if I want over my AP but I need QoS. In GUI if I simply write 192.168.2.0/24 onto QoS nothing happens, because it's not related to the separated VLAN. I think I need to configure the QoS manually with scripts for this VLAN, but I didn't find any documentations about this so I don't know how to do it manually from cmd.

 

[us3rnotfound]

I installed the config file just as OP did, set up a guest network on LAN port 4, calling it vlan100 with IP range specified in dnsmasq.conf.add 192.168.100.2-254.

The only thing is when I restart the router with a computer already plugged in and on at LAN port 4, when the router is fully booted it gives the computer a 192.168.1.X IP address instead of the DHCP subnet I gave to vlan100. And the router eventually just drops the computer and the computer doesn't ask for another DHCP, I suspect because it's not even in the vlan so it's just a brick at this point. Only when I unplug the ethernet cable and plug it back in does the computer get a proper 192.168.100.X IP. And it works perfectly there on out until I reboot the router. Is there anything I can do about this?

 

[Fmstrat]

@schmerg Thank you for posting all of this. I am about to pick up an RT-AX88U and want to isolate one of the LAN ports on a VLAN. Basically, whatever is plugged into that port gets WAN, but is completely isolated from the other LAN. Any chance you could help me determine what parts of your script I need? (new to VLANs) Thanks!

 

[ColinTaylor]

@schmerg Thank you for posting all of this. I am about to pick up an RT-AX88U and want to isolate one of the LAN ports on a VLAN. Basically, whatever is plugged into that port gets WAN, but is completely isolated from the other LAN. Any chance you could help me determine what parts of your script I need? (new to VLANs) Thanks!

This thread is not applicable to the RT-AX88U. I have provided more information in your original thread.

 

[tsanga]

Thanks to schmerg’s script in post #3 I have a vlan setup that works with the guest SSID on a pair of AirPort Extremes.

... except it works for some time - I don’t know how long - and eventually the router stops providing DHCP on the guest subnet. Unlike jamestx10, I don’t even see the DHCP request on the vlan in syslog. Restarting dnsmasq doesn’t bring it back, only a reboot of the router restores it for the next period of time.

Can someone point me where to look for clues?

 

[TechTinkerer]

And it's working.. VLAN tagging wasn't quite as tricky as it seemed last time I tried (hints about what I maybe got stuck on last time around below).
So now my AP is plugged directly into the router (via a very long cable) and is running two SSIDs, one (the "home" wifi) is tagged as VLAN 1 , the default VLAN, and the other (the "guest" wifi) is tagged as VLAN 4.
On the router, VLAN1 is fine if tagged... untagged packets are assumed to be VLAN1 when read from a port so the home wifi works just fine.
But VLAN4 needs configuring to tell the router what to do ... namely
- tell the router that not only can all the physical ports carry the default VLAN1 (tagged or untagged - VLAN1 doesn't mind), but that all the physical ports are also allowed to carry VLAN 4 if tagged appropriately
- create VLAN4
- bring VLAN4 up (I put this on it's own subnet but that's not strictly needed I think)
- iptables rules to allow VLAN4 packets out on the WAN
- configure dnsmasq to handle DHCP requests on VLAN4

So the last one first, is just the user config file described above

/jffs/configs/dnsmasq.conf.add
# Add DHCP custom range for VLAN 4 being a private network
#
interface=vlan4
dhcp-range=vlan4,192.168.4.10,192.168.4.200,255.255.255.0,86400s
dhcp-option=vlan4,3,192.168.4.1
dhcp-option=vlan4,6,192.168.4.1,0.0.0.0

The rest can be done with an nat-start script

/jffs/scripts/nat-start
#!/bin/sh
#
/usr/bin/logger "================== NAT START ==================="
robocfg show | grep -i vlan4 > /dev/null 2>&1 || \
(
/usr/bin/logger "========= ROBOCFG"
# lan ports 1-4 assigned to vlan1 when untagged, port 8 is the CPU
robocfg vlan 1 ports "1 2 3 4 8t"
# or all the ports can carry vlan4 if tagged as such
robocfg vlan 4 ports "1t 2t 3t 4t 8t"

/usr/bin/logger "====== VCONFIG"
# Create VLAN4
vconfig add eth0 4 || /usr/bin/logger "VLAN 4 already exists"

/usr/bin/logger "====== IFCONFIG"
# Bring VLAN4 up (note that dnsmasq has already been configured for this address)
ifconfig vlan4 192.168.4.1 netmask 255.255.255.0 up

/usr/bin/logger "======= IPTABLES"
# And set iptables rules for VLAN4 to access the WAN only
# Seems a slight delay here is handy....
sleep 5
iptables -I FORWARD -i vlan4 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan4 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP
iptables -I INPUT -i vlan4 -j ACCEPT
)
/usr/bin/logger "=================== NAT DONE ==================="

The "logger" lines write messages to the system log and help when you're trying to spot stuff.

Now the only gotcha I found is that without the pause before the iptables commands, VLAN4 didn't work... DHCP requests went unanswered and static IPs didn't work either.

I think, and again I'm making wild guesses only, that while we've brought up VLAN4, it takes a while to settle/initialise, and without the sleep, then the iptables rules are ignored and so VLAN4 packets are dropped as there are no rules for what to do with them.

DHCP seemed to be an issue last time I tried, so perhaps just this "sleep" is all that was needed then.

Anyway, my AP now broadcasts 2 SSIDs, one of which has full access to the internal network, and the other of which hands out a different IP subnet and can only access the WAN, and this AP can now be connected via a cable to service far parts of property.

Hope it helps someone trying to do the same... the forums do seem to have a number of questions about VLANs but not too many success stories.

Now... wonder what else I can use this small managed switch for....

--
Tim

Hi Tim, in your script what does 8t correspond to as would like to try this with a ac86u?
Thankyou