VLAN Tag Ethernet ports

[ToasterPC]

Hey there!

I was finally able to segment my network using the guest SSIDs of both my GT-AX11000 and my RT-AX86U on AP mode (both HND, non-Pro models), though I had to disable AiMesh in the process (so far, no major issues).

However, I've been trying to add VLAN tags to the individual Ethernet ports of the routers and I've come up empty as of yet, as trying to just take the interface down, add the tag, enable it and add it to the original bridge or to an individual one has produced no available connectivity in any of the devices I've connected to them.

Given that the SSIDs are working correctly using the same procedure, I'm wondering if I'm missing some step along the way, or if this is possible at all in the first place (I can't imagine why it wouldn't be, but just making sure).

Also (as an oddity), whenever I run the script I put together, sometimes an interface called eth8 will show up out of nowhere, so maybe that's a clue(?).

In any case, I'll link the script I'm currently using, any help would be appreciated. In particular, I believe that perhaps someone like @Jack Yaz might know how to attempt something like this.

(I was advised to open a thread over on this subforum and be more likely to get an answer, so please excuse the duplicate)

As for now, thanks in advance!

 

[visortgw]

VLAN tags have notoriously been an issue with Asus. Asus uses them within their AiMesh implementation for sharing guest network 1, yet they screwed up on some model's implementation (e.g., GT-AXE16000). It was an all out battle with tech support to establish that they do in fact use VLAN tags.

 

[DiliMe]

I had also similar experience about a year ago, without success to date.
As I am monitoring almost weekly the new posts on this forum, I would say that nobody managed to make it work for 386/388 firmware or at least to share with us a working script for VLAN tagged ethernet ports for the newer models.

There are some "working" solutions, like buying a cheap switch that is VLAN aware as is the solution documented in this thread: https://www.snbforums.com/threads/h...-386-or-388-code-no-scripting-required.85850/
Other solution would be to move into the Pro version from Asus.

 

[Jeffrey Young]

If it helps, here is the script I was using on my AC86U when I had it in AP mode. Worked fine for me. The only tricky part is that the setup gets torn down every time the firewall restarted. To resolve, beside starting the script from services-start, I also had a routine in services-event that triggered the setup again if the firewall restarted.

The script made the eth0 port into a trucked port.

#!/bin/sh

# multi SSID with VLAN script, for ASUS AC86U with merlin
#
# setup before hand:
#       set "router" to "AP Mode"
#               this will put all ports and wireless in br0
#       create 2 guest network
#       enable Administration => System => Enable JFFS custom scripts and configs
#       put this script in /jffs/scripts/, name should be "services-start"
#               remember `chmod a+x services-start`
#       I strongly suggest you use static IP instead of DHCP
#               In my test, the "router" will pickup DHCP lease from VLAN 1 instead of VLAN 227
#       reboot
# some basic info of the original AP mode:
#       eth0 => WAN port
#       eth1~4 => LAN port 4~1, they're reversed
#       eth5 => WiFi 2.4G
#       eth6 => WiFi 5G
#       wl0.1, wl0.2 => WiFi 2.4G guest networks
# this setup:
#       WAN port (eth0) will be repurposed as a tagged port
#       LAN ports (eth1~4) and primary WiFi (eth5,6) will be on VLAN 227
#       guest network 1 will be on VLAN 11
#       guest network 2 will be on VLAN 12

#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log

# echo $PATH > /tmp/script_debug

# remove eth0 which will be reconfigured as a tagged port
brctl delif br0 eth0
# remove interfaces we're gonna move to other bridges
brctl delif br0 wl0.1
brctl delif br0 wl0.2

# add vlans
# interestingly, depending on the time passed since system boot,
# vlan interfaces will be named eth0.1 or vlan1, I guess some udev rules got loaded.
# so we use ip link instead of vconfig to specify a name explicitly.
ip link add link eth0 name eth0.227 type vlan id 227
ip link add link eth0 name eth0.11 type vlan id 11
ip link add link eth0 name eth0.12 type vlan id 12
ip link set eth0.227 up
ip link set eth0.11 up
ip link set eth0.12 up

# reconfigure br0, private LAN
brctl addif br0 eth0.227

# set up br1, guest LAN
brctl addbr br1
brctl addif br1 eth0.11
brctl addif br1 wl0.1
brctl setfd br1 2
ip link set br1 up

# set up br2, another guest LAN for IoT devices
brctl addbr br2
brctl addif br2 eth0.12
brctl addif br2 wl0.2
brctl setfd br2 2
ip link set br2 up

# seems like eapd reads config from these
# no need to set lan_ifname since it's already there
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"

nvram set lan1_ifnames="wl0.1 eth0.11"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="wl0.2 eth0.12"
nvram set lan2_ifname="br2"

# doesn't seem to affect anything, just make it align
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"

nvram set br1_ifnames="wl0.1 eth0.11"
nvram set br1_ifname="br1"

nvram set br2_ifnames="wl0.2 eth0.12"
nvram set br2_ifname="br2"

# we do NOT issue `nvram commit` here since it won't survive reboot anyway

# is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

#echo "============== START 2 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 2 $(date) ==================" >> /jffs/scripts/log