VLAN tags out of the WAN interface

[develox]

I'm trying myself too to separate traffic on my RT-AC68U (running Merlin 378.50) between "everything" and guest WLAN.

I just got a used ZyWall to put in front of the Asus, so the first thing I'm trying to understand is whether I can read the VLAN tags out of the Asus' WAN interface (connected to a ZyWall LAN port).

I've been reading quite a lot on the forum about different problems/solutions of people trying to segment their network through VLANs. But (full disclaimer) since I'm quite newbie to advanced networking (one reason here is also to learn) I thought I would try with the simplest approach first. So I started with the approach I deduced from here:

https://github.com/RMerl/asuswrt-me...oadcom/bcm947xx/compressed/rt-ac68u_nvram.txt

and hence set the following on /jffs/scripts/services-start:

nvram set vlan2ports="0 5t"
nvram set wandevs=vlan2
nvram commit

so that my overall config after this looks like this:

/tmp/home/root# robocfg show
Switch: enabled
Port 0:  100FD enabled stp: none vlan: 2 jumbo: off mac: e8:de:27:77:3f:1f
Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 40:3c:fc:00:25:bc
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:19:cb:be:db:73
Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 3 4 5t
   2: vlan2: 0 5
  56: vlan56: 1 2t 3 8u
  57: vlan57: 0t 1t 2 4t 5 7
  58: vlan58: 2 3t 4 5
  59: vlan59: 2 5 8u
  60: vlan60: 2 3 7 8t
  61: vlan61: 0 1t 2 4 5 7t
  62: vlan62: 2t 4 8t

My port 5 (the MAC interface to the external switch or switch core), on the WAN vlan, is now hence tagged instead of the default untagged. I didn't expect much from this, just to see the 802.1Q tags on Ethernet frames sniffing on the ZyWall (pings between wired machines inside and outside the Asus domain). But nothing came up. I might well be overlooking something.

Any help/clue on how can I achieve this ? If I succeed I can then approach the problem of VLANs separation, knowing that I can work out the VLAN tags on the ZyWall.

Thanks
Peppe

 

[coxhaus]

I don't know either router but if the VLAN tags 802.1Q then they are an IEEE standard and will be compatible. I assume you know that VLAN tags are more related to the switch side rather than the router side. It is only when you add layer 3 to the VLAN is when you need the router.

 

[develox]

I don't know either router but if the VLAN tags 802.1Q then they are an IEEE standard and will be compatible.

That's what I was hoping and looking for on the packet captures. But even understanding that I'm looking for the wrong thing, that I'm setting the config wrong or that no tags will ever come out of the WAN (I'd be surprised though) would be of help.

 

[coxhaus]

On the switch side you create a trunk port. This trunk port will carry packets with VLAN tags. If you have a access port defined you will not see the VLAN tags.

 

[develox]

On the switch side you create a trunk port. This trunk port will carry packets with VLAN tags. If you have a access port defined you will not see the VLAN tags.

My hope is that the ports (or at least WAN) are of the third type (general or hybrid) that can work both as an access and as a trunk port, or can be made so.