VLANs on Merlin in AP mode + pfSense

[Haraldinho]

I hope somebody can help me figure out what I do wrong... My setup is as follows:

I have a pfSense box that is connected to a Cisco SG-250 10P managed switch on port 1 in trunk mode. My Asus RT-AC5300 is in AP mode and is also connected to the Cisco on port 2, also in trunk mode. I have several VLANs configured (30,40,50,60) on all three boxes.

VLAN 60 is my guest network. What I notice is that a windows PC connected wireless to the AC5300 is sometimes showing the right gateway in ipconfig/all (192.168.60.1), but also sometimes the gateways of the other VLANs. So it looks like traffic is crossing VLANs.

My problem is that this is a hobby project where I want to learn how VLANs work and how I can make my network more secure. So I know I am missing knowledge.

My current gut feeling is that the problem is caused by my VLAN configuration in services-start, that is based on information on all of the posts I have read on the subject. I had some hopes on @Martineau 's VLANscript, however, that does not work for devices in AP mode.

Who can judge if my services-start script is correct for my setup? The script is below:

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

# vlan30 - gaming
# vlan40 - IoT
# vlan50 - camera network
# vlan60 - guest network

# port 0 is WAN
# port 1 is link to AiMesh node ap2
# port 8 is internal on the RT-AC5300

logger starting vlan setup

logger setting up vlan30
robocfg vlan 30 ports "0t 1t 8t"
vconfig add eth0 30
ip link set vlan30 up
logger vlan30 up

brctl delif br0 wl0.1

brctl addbr br30
brctl addif br30 vlan30
brctl addif br30 wl0.1
logger vlan30 setup ended


logger setting up vlan40
robocfg vlan 40 ports "0t 1t 8t"
vconfig add eth0 40
ip link set vlan40 up
logger vlan40 up

brctl delif br0 wl0.2
brctl delif br0 wl1.2

brctl addbr br40
brctl addif br40 vlan40
brctl addif br40 wl0.2
brctl addif br40 wl1.2
logger vlan40 setup ended


logger setting up vlan50
robocfg vlan 50 ports "0t 1t 8t"
vconfig add eth0 50
ip link set vlan50 up
logger vlan50 up

brctl delif br0 wl0.3

brctl addbr br50
brctl addif br50 vlan50
brctl addif br50 wl0.3
logger vlan50 setup ended


logger setting up vlan60
robocfg vlan 60 ports "0t 1t 8t"
vconfig add eth0 60
ip link set vlan60 up
logger vlan60 up

brctl delif br0 wl1.1
brctl delif br0 wl2.1

brctl addbr br60
brctl addif br60 vlan60
brctl addif br60 wl1.1
brctl addif br60 wl2.1
logger vlan60 setup ended


logger set nvram variables and restart eapd

logger kill eapd
killall eapd

logger setting nvram
#eth1 and eth2 are 2.4 and 5ghz main wifi
nvram set lan_ifnames="vlan1 eth1 eth2 eth3 wl2.2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan30 wl0.2 wl1.2"
nvram set lan1_ifname="br30"

nvram set lan2_ifnames="vlan40 wl0.1"
nvram set lan2_ifname="br40"

nvram set lan3_ifnames="vlan50 wl0.3"
nvram set lan3_ifname="br50"

nvram set lan4_ifnames="vlan60 wl1.1 wl2.1"
nvram set lan4_ifname="br60"

#Isolate clients from each other for most networks to improve security
logger set AP isolation
nvram set wl0.1_ap_isolate=1
nvram set wl0.3_ap_isolate=1
nvram set wl1.1_ap_isolate=1
nvram set wl2.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1
wl -i wl0.3 ap_isolate 1
wl -i wl1.1 ap_isolate 1
wl -i wl2.1 ap_isolate 1

#vlan30 cannot have AP isolation, as e.g. Nest equipment needs to 'see' each other
nvram set wl0.2_ap_isolate=0
nvram set wl1.2_ap_isolate=0
wl -i wl0.2 ap_isolate 0
wl -i wl1.2 ap_isolate 0


logger bring up bridges
ip link set br30 up
ip link set br40 up
ip link set br50 up
ip link set br60 up

logger restart eapd
eapd

logger vlan setup finished

 

[Haraldinho]

I decided today to leave the Asus ecosystem and switch to Ubiquity, which supports VLANs in a simple way.

 

[coxhaus]

Yes it will be easier. If you want to make the ASUS work then the ASUS port needs to be in trunk mode and the ASUS wireless needs to assign SSIDs to specific VLANs in the ASUS.

 

[Haraldinho]

@coxhaus Just curious... how do you put the port in trunk mode and which port would that be? What command should be used?

 

[coxhaus]

I don't think you can with ASUS but I was telling you what needed to happen incase there was a way.

 

[Chrisgtl]

I decided today to leave the Asus ecosystem and switch to Ubiquity, which supports VLANs in a simple way.

Which product did you go for? I'm in the same boat and getting tired of waiting for Asus to pull their finger out.

The year is 2020 and Asus still unable to release a firmware for 86U that has AiMesh and Guest Network support.

Blimey!

 

[Haraldinho]

Hi @Chrisgtl I purchased the Ubiquiti Unifi nanoHD AP. I installed it yesterday evening and so far I am enthousiastic. The whole VLAN config works out of the box by simply assigning a VLAN to a WiFi network. No more messing around with scripts that are a bit beyond my knowledge level . One minor drawback is that it only supports 4 active SSIDs. Technically 8, because you can separate 5GHz and 2.4GHz names, but only such that the 2.4Ghz SSID has a suffix like _2G.