VLANs, Trunk interface, tagged and untagged traffic RT-AX86U and RT-AX88U

[vlanvlan]

It took me a while to make this thing work. I could find some configs but nothing worked as provided. After combining information from several different posts I came to the working solution posted below. As it took me a while to get it to work I figured I'd share it here in case anyone else might be looking for similar configs. All credits go to the people originally finding the right commands for these platforms, I just tied them together for my specific case.

This setup uses the WAN port as dot1q trunk interface to an upstream firewall on the RT-AX88U router, and the 2.5Gbit interface on the RT-AX86U router. To prevent any config accidents no networks have been configured in the default (untagged) VLAN. I choose to keep using br0 as management network as I figured the software might perhaps have all sorts of issues if switching the layer 3 config to another bridge. I have not tested this, just assumed it. The IP address doesn't require to be set in the config, its just a failsafe incase I messed something up. I advice to load your config in a testfile and execute this to test if things work as intended. If not, a simple power-cycle of your device will bring it back in its original state. Once you're done figuring out your settings you can add it to /jffs/scripts/services-start. (For testing: nano test -> paste config -> safe file. chmod +x test. To execute write ./test - Once working, add your config to /jffs/scripts/services-start and give a chmod +x /jffs/scripts/services-start - your config will be loaded during boot time)

The vlanctl commands are required to add and remove VLAN tags for the dot1q trunk when it passes through the vlan subinterface. The bridge interfaces tie the interfaces together. For some reason the vconfig part was required to make everything communicate.

# RT-AX88U interface layout
# eth0 -> WAN
# eth1 -> LAN4
# eth2 -> LAN3
# eth3 -> LAN2
# eth4 -> LAN1
# eth5 -> (not tested) hardware bridge LAN5-8
# eth6 -> 2.4Ghz radio (non guest)
# eth7 -> 5Ghz radio (non guest)
# wl0.1 -> First wireless guest 2.4Ghz
# wl1.1 -> First wireless guest 5Ghz
# wl0.2 -> Second wireless guest 2.4Ghz
# wl1.2 -> Second wireless guest 5Ghz


# Remove interfaces from default br0 interface
brctl delif br0 eth1
brctl delif br0 eth2
brctl delif br0 eth3
brctl delif br0 eth4
brctl delif br0 eth5
brctl delif br0 eth6
brctl delif br0 eth7
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2


# VLAN 2
vlanctl --mcast --if-create eth0 2
vlanctl --if eth0 --rx --tags 1 --filter-vid 2 0 --pop-tag --set-rxif eth0.v2 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v2 --push-tag --set-vid 2 0 --rule-append
ifconfig eth0.v2 up
brctl addif br0 eth0.v2
ifconfig br0 10.0.0.2 netmask 255.255.255.0
brctl setfd br0 0
ip link set br0 up


# VLAN 3
vlanctl --mcast --if-create eth0 3
vlanctl --if eth0 --rx --tags 1 --filter-vid 3 0 --pop-tag --set-rxif eth0.v3 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v3 --push-tag --set-vid 3 0 --rule-append
ifconfig eth0.v3 up
brctl addbr br3
brctl setfd br3 0
brctl addif br3 eth0.v3
brctl addif br3 eth6
brctl addif br3 eth7
brctl addif br3 eth1
brctl addif br3 eth3
brctl addif br3 eth4
vconfig add br3 3
ip link set br3 up


# VLAN 4
vlanctl --mcast --if-create eth0 4
vlanctl --if eth0 --rx --tags 1 --filter-vid 4 0 --pop-tag --set-rxif eth0.v4 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v4 --push-tag --set-vid 4 0 --rule-append
ifconfig eth0.v4 up
brctl addbr br4
brctl setfd br4 0
brctl addif br4 eth0.v4
brctl addif br4 wl0.1
brctl addif br4 wl1.1
vconfig add br4 4
ip link set br4 up


# VLAN 6
vlanctl --mcast --if-create eth0 6
vlanctl --if eth0 --rx --tags 1 --filter-vid 6 0 --pop-tag --set-rxif eth0.v6 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v6 --push-tag --set-vid 6 0 --rule-append
ifconfig eth0.v6 up
brctl addbr br6
brctl setfd br6 0
brctl addif br6 eth0.v6
brctl addif br6 eth2
vconfig add br6 6
ip link set br6 up


# VLAN 7
vlanctl --mcast --if-create eth0 7
vlanctl --if eth0 --rx --tags 1 --filter-vid 7 0 --pop-tag --set-rxif eth0.v7 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v7 --push-tag --set-vid 7 0 --rule-append
ifconfig eth0.v7 up
brctl addbr br7
brctl setfd br7 0
brctl addif br7 eth0.v7
brctl addif br7 wl0.2
brctl addif br7 wl1.2
vconfig add br7 7
ip link set br7 up


# Deal with DHCP etc, prevent from working in untagged
vlanctl --if eth0 --set-if-mode-rg
vlanctl --if eth0 --tx --tags 0 --default-miss-drop


# Deals with traffic between local interfaces when operating with sub-interfaces
ethswctl -c hw-switching -o disable

# RT-AX86U interface layout
# eth0 -> WAN
# eth1 -> LAN4
# eth2 -> LAN3
# eth3 -> LAN2
# eth4 -> LAN1
# eth5 -> LAN 2.5Gbit
# eth6 -> WLAN 2.4 GHz (but not used?)
# eth7 -> WLAN 5 GHz (but not used?)
# wl0.1 -> WLAN 2.4 GHz
# wl1.1 -> WLAN 5Ghz
# wl0.2 -> Wireless guest 2.4Ghz
# wl1.2 -> Wireless guest 5Ghz


# Remove interfaces from default br0 interface
brctl delif br0 eth1
brctl delif br0 eth2
brctl delif br0 eth3
brctl delif br0 eth4
brctl delif br0 eth5
brctl delif br0 eth6
brctl delif br0 eth7
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2


# VLAN 2
vlanctl --mcast --if-create eth5 2
vlanctl --if eth5 --rx --tags 1 --filter-vid 2 0 --pop-tag --set-rxif eth5.v2 --rule-append
vlanctl --if eth5 --tx --tags 0 --filter-txif eth5.v2 --push-tag --set-vid 2 0 --rule-append
ifconfig eth5.v2 up
brctl addif br0 eth5.v2
ifconfig br0 10.0.0.3 netmask 255.255.255.0
ip route add 0/0 via 10.0.0.1
brctl setfd br0 0
ip link set br0 up


# VLAN 3
vlanctl --mcast --if-create eth5 3
vlanctl --if eth5 --rx --tags 1 --filter-vid 3 0 --pop-tag --set-rxif eth5.v3 --rule-append
vlanctl --if eth5 --tx --tags 0 --filter-txif eth5.v3 --push-tag --set-vid 3 0 --rule-append
ifconfig eth5.v3 up
brctl addbr br3
brctl setfd br3 0
brctl addif br3 eth5.v3
brctl addif br3 eth5
brctl addif br3 eth6
brctl addif br3 eth2
vconfig add br3 3
ip link set br3 up


# VLAN 4
vlanctl --mcast --if-create eth5 4
vlanctl --if eth5 --rx --tags 1 --filter-vid 4 0 --pop-tag --set-rxif eth5.v4 --rule-append
vlanctl --if eth5 --tx --tags 0 --filter-txif eth5.v4 --push-tag --set-vid 4 0 --rule-append
ifconfig eth5.v4 up
brctl addbr br4
brctl setfd br4 0
brctl addif br4 eth5.v4
brctl addif br4 wl0.1
brctl addif br4 wl0.2
vconfig add br4 4
ip link set br4 up


# VLAN 5
vlanctl --mcast --if-create eth5 5
vlanctl --if eth5 --rx --tags 1 --filter-vid 5 0 --pop-tag --set-rxif eth5.v5 --rule-append
vlanctl --if eth5 --tx --tags 0 --filter-txif eth5.v5 --push-tag --set-vid 5 0 --rule-append
ifconfig eth5.v5 up
brctl addbr br5
brctl setfd br5 0
brctl addif br5 eth5.v5
brctl addif br5 eth3
brctl addif br5 eth1
vconfig add br5 5
ip link set br5 up


# VLAN 7
vlanctl --mcast --if-create eth5 7
vlanctl --if eth5 --rx --tags 1 --filter-vid 7 0 --pop-tag --set-rxif eth5.v7 --rule-append
vlanctl --if eth5 --tx --tags 0 --filter-txif eth5.v7 --push-tag --set-vid 7 0 --rule-append
ifconfig eth5.v7 up
brctl addbr br7
brctl setfd br7 0
brctl addif br7 eth5.v7
brctl addif br7 wl1.1
brctl addif br7 wl1.2
vconfig add br7 7
ip link set br7 up


# Deal with DHCP etc, prevent from working in untagged
vlanctl --if eth5 --set-if-mode-rg
vlanctl --if eth5 --tx --tags 0 --default-miss-drop


# Deals with traffic between local interfaces when operating with sub-interfaces
ethswctl -c hw-switching -o disable

 

[L&LD]

Welcome to the forums @vlanvlan.

This looks great!

Will this possibly become an interactive script w/GUI in amtm anytime soon?

 

[vlanvlan]

Welcome to the forums @vlanvlan.

This looks great!

Will this possibly become an interactive script w/GUI in amtm anytime soon?

Thanks!

I've only only found out about this custom firmware a few days ago as I was redoing my setup. I wouldn't get my hopes up for a script with GUI.

Cheers,

 

[L&LD]

Never say never! There are many individuals around who can help make this become a reality (time and interest permitting).

@thelonelycoder, @Jack Yaz, @Martineau, and many, many others.

 

[Jack Yaz]

Never say never! There are many individuals around who can help make this become a reality (time and interest permitting).

@thelonelycoder, @Jack Yaz, @Martineau, and many, many others.

this does look really promising, nice work @vlanvlan

Unlikely to be me adopting it in the near future, kind of hard to beat this:

Spoiler: Firewall

Spoiler: UniFi AP

 

[Yota]

After 5 years of obscure usage of vlanctl in HND routers, finally figured out the correct way to set VLAN, good job @vlanvlan

Would you like to add a guide to the wiki? So more people can see it.

 

[vlanvlan]

After 5 years of obscure usage of vlanctl in HND routers, finally figured out the correct way to set VLAN, good job @vlanvlan

Would you like to add a guide to the wiki? So more people can see it.

I really don't know enough about all the Asus devices to be able to tell people which devices, other than my current ax86u and ax88u this will work on. I notice I have an oddity with the ax86u where occasionally the guest network interface jumps back to br0. This must be because the guest network gets disabled/enabled sometimes, but I am not sure (yet) why. I'll have to work out some fix for this later. Once I deem everything stable maybe I can spend some time on writing a bit more detailed guide.

 

[Jack Yaz]

I really don't know enough about all the Asus devices to be able to tell people which devices, other than my current ax86u and ax88u this will work on. I notice I have an oddity with the ax86u where occasionally the guest network interface jumps back to br0. This must be because the guest network gets disabled/enabled sometimes, but I am not sure (yet) why. I'll have to work out some fix for this later. Once I deem everything stable maybe I can spend some time on writing a bit more detailed guide.

The multi model thing is one of the main reasons I haven't implemented vlans in YazFi. There's a lot of configurations and I'd have to rely on users to help me out with port layouts

 

[idefix]

It took me a while to make this thing work. I could find some configs but nothing worked as provided. After combining information from several different posts I came to the working solution posted below. As it took me a while to get it to work I figured I'd share it here in case anyone else might be looking for similar configs. All credits go to the people originally finding the right commands for these platforms, I just tied them together for my specific case.

This setup uses the WAN port as dot1q trunk interface to an upstream firewall on the RT-AX88U router, and the 2.5Gbit interface on the RT-AX86U router. To prevent any config accidents no networks have been configured in the default (untagged) VLAN. I choose to keep using br0 as management network as I figured the software might perhaps have all sorts of issues if switching the layer 3 config to another bridge. I have not tested this, just assumed it. The IP address doesn't require to be set in the config, its just a failsafe incase I messed something up. I advice to load your config in a testfile and execute this to test if things work as intended. If not, a simple power-cycle of your device will bring it back in its original state. Once you're done figuring out your settings you can add it to /jffs/scripts/services-start. (For testing: nano test -> paste config -> safe file. chmod +x test. To execute write ./test - Once working, add your config to /jffs/scripts/services-start and give a chmod +x /jffs/scripts/services-start - your config will be loaded during boot time)

The vlanctl commands are required to add and remove VLAN tags for the dot1q trunk when it passes through the vlan subinterface. The bridge interfaces tie the interfaces together. For some reason the vconfig part was required to make everything communicate.

Thanks a lot for posting this.
I nearly lost hope after following the earlier robocfg examples on my AX88U only to find out that these do not work on the HW ;-)

Will this work also with the AX88U in AP mode and across other mesh nodes?
I currently have the following setup:

ONT/MODEM --> pfSense --> AX88U in AP Mode (LAN1) ----> 2x AX92U (LAN Backhaul)

I'm trying to keep the rest of the network on the default VLAN0 but add VLAN5, which is configured on pfSense, for the first AX88U Guestnetwork only.
Not sure if I understand your code fully but would this achieve what I'm looking for?

Thanks a lot !

# RT-AX88U interface layout
# eth0 -> WAN
# eth1 -> LAN4
# eth2 -> LAN3
# eth3 -> LAN2
# eth4 -> LAN1
# eth5 -> (not tested) hardware bridge LAN5-8
# eth6 -> 2.4Ghz radio (non guest)
# eth7 -> 5Ghz radio (non guest)
# wl0.1 -> First wireless guest 2.4Ghz
# wl1.1 -> First wireless guest 5Ghz
# wl0.2 -> Second wireless guest 2.4Ghz
# wl1.2 -> Second wireless guest 5Ghz


# Remove interfaces from default br0 interface
brctl delif br0 eth1
brctl delif br0 eth2
brctl delif br0 eth3
brctl delif br0 eth4
brctl delif br0 eth5
brctl delif br0 eth6
brctl delif br0 eth7
brctl delif br0 wl0.1
brctl delif br0 wl1.1


# VLAN 0
vlanctl --mcast --if-create eth4 0
vlanctl --if eth4 --rx --tags 1 --filter-vid 0 0 --pop-tag --set-rxif eth0.v0 --rule-append
vlanctl --if eth4 --tx --tags 0 --filter-txif eth0.v0 --push-tag --set-vid 0 0 --rule-append
ifconfig eth4.v0 up
brctl addif br0 eth4.v0
brctl addif br0 eth0
brctl addif br0 eth1
brctl addif br0 eth2
brctl addif br0 eth3
brctl addif br0 eth5
brctl addif br0 eth6
brctl addif br0 eth7
ifconfig br0 10.0.0.2 netmask 255.255.255.0
brctl setfd br0 0
ip link set br0 up


# VLAN 5
vlanctl --mcast --if-create eth4 5
vlanctl --if eth4 --rx --tags 1 --filter-vid 5 0 --pop-tag --set-rxif eth0.v5 --rule-append
vlanctl --if eth4 --tx --tags 0 --filter-txif eth0.v5 --push-tag --set-vid 5 0 --rule-append
ifconfig eth4.v5 up
brctl addbr br1
brctl setfd br1 0
brctl addif br1 eth4.v5
brctl addif br1 wl0.1
brctl addif br1 wl1.1
vconfig add br1 5
ip link set br1 up


# Deal with DHCP etc, prevent from working in untagged - REQUIRED in AP MODE?
# vlanctl --if eth4 --set-if-mode-rg
# vlanctl --if eth4 --tx --tags 0 --default-miss-drop


# Deals with traffic between local interfaces when operating with sub-interfaces
ethswctl -c hw-switching -o disable

 

[vlanvlan]

Hi,

It should work - at least, at my setup it does, as I run it in AP mode with mesh on the two device types mentioned in the original post.

Cheers,

 

[idefix]

Hi,

It should work - at least, at my setup it does, as I run it in AP mode with mesh on the two device types mentioned in the original post.

Cheers,

Thanks. This confused me a bit as the AP configuration from ASUS mentioned the main AP to connect via LAN and the 2 mesh AP's via their WAN port.
So if I have 1 AP with 2 mesh nodes I would need to configure all 3 for VLAN as described above?
When you mentioned you did not use the default VLAN to avoid accidents, does this mean it will not work with the default VLAN enabled?

Thanks and sorry for the questions, have a hard time understanding the code you posted and how to adjust for my config. Thanks !

 

[idefix]

not that straightforward from the looks of it :-(
I can get the different bridges up and running but when connecting to the guest wifi I either get no IP or can't connect at all.
Found another script here but the same issue: https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4

Maybe trying to only add a VLAN for the guest network and leave the rest on the default/untagged vlan 0 does not work?

 

[kjbreil]

not that straightforward from the looks of it :-(
I can get the different bridges up and running but when connecting to the guest wifi I either get no IP or can't connect at all.
Found another script here but the same issue: https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4

Maybe trying to only add a VLAN for the guest network and leave the rest on the default/untagged vlan 0 does not work?

The script you are linking to contains the method I used to tag my guest wifi without messing with the default vlan. I've got a guest network on 5ghz only, I wanted it tagged as vlan 4. Regular wifi network works as expected. All other methods using vlanctl caused the router to crash. I am running in AP mode.

# Disable hardware acceleration for switch
ethswctl -c hw-switching -o disable

# Create the VLAN
ip link add link eth0 name eth0.4 type vlan id 4
# Bring the VLAN up
ifconfig eth0.4 up
# Add the new bridge for the VLAN
brctl addbr br4
brctl setfd br4 0

# add VLAN to bridge
brctl addif br4 eth0.4

# remove the wireless guest 5ghz network from BR0 and add it to BR4
brctl delif br0 wl1.1
brctl addif br4 wl1.1

# something said this was needed, doesn't hurt and haven't tested without
vconfig add br4 4
# bring up the bridge
ip link set br4 up

 

[DiliMe]

Can any of you guys help me with the 'vlanctl' command?

On a AX86S (HND type) with Guest Wireless enabled I want to have eth1 (Port4) associated with Native VLAN=501.
Basically I need to connect a PC on that port and have it restricted similar to Guest wireless clients.
I see that after enabling Guest Wireless 1 and Intranet Access=Disabled, all eth interfaces are transformed into VLAN trunks (tagged with VLANs 1 and 501), but having the Native VLAN=1.
I think it would be enough to change the Native VLAN from 1-> 501 or to change the port from trunk -> untagged (access mode) but associated with VID=501.

 

[PaulA]

@DiliMe after half a year.... ;-) I did something similar; maybe this helps? https://www.snbforums.com/threads/p...erlin-w-tagged-internet-isp.89677/post-902942
Paul