What's new

Yet another question about VLANs (any HowTo recommended?)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DiliMe

Regular Contributor
Hi folks,
I see here on SNBforums and on Reddit are dozens (or maybe close to hundred) posts about VLANs on Asus Merlin routers, though I haven't found a comprehensive guide/Howto.
Anyone can recommend one for my case?
My main is AX86S (router mode) and also a second node AC68U that is wired, having it either in AiMesh or AP mode.
I also have a PoE switch Cisco SF302P that has CCTV cameras connected and a wireless AP Linksys WAP54GP that is PoE powered and knows about VLAN IDs.
( I cannot install another Asus AC68U in that zone because I cannot wire easily electrical wires and a power plug, this is why I stick to my almost 15-20 years old AP :) )
I was happy until recently having only one SSID configured on that AP, but now I would like to configure 2 SSIDs, having one of the SSIDs mapped to a VLAN that doesn't permit access to intranet, but permits access to internet (similar to Guest mode).

Now my question: Any guide that you would recommend?

I have read already dozens of forum articles here on SNB or on Reddit, I tried couple setups, but I could not figured it out. Also, I need to mention that I have very short times to test, mostly during nights as my wife works from home and also my kids are gaming day and night or listening online music and I cannot make easily changes or too many reboots (similar to production environment :), this is why I am asking for a HowTo that would be nice to find on the Github Merlin Docs page)
It would be nice find
 
This Linksys AP has to go immediately - museum item, security risk and perhaps bugging everting 2.4GHz around. The switch is >10-years old and has 10/100Mbps ports with Gigabit uplink - good for the cameras you currently have only. Asus RT-AC68U router is 10-years old - at the end of it's usable life. Not sure why you purchased another Asus router - perhaps AiMesh marketing in action. You need complete system overhaul HowTo. I would get rid of everything, get some money back and build something like Omada system all VLAN capable. Don't waste your time with this mix and match.
 
Hi folks,
I see here on SNBforums and on Reddit are dozens (or maybe close to hundred) posts about VLANs on Asus Merlin routers, though I haven't found a comprehensive guide/Howto.
Anyone can recommend one for my case?
My main is AX86S (router mode) and also a second node AC68U that is wired, having it either in AiMesh or AP mode.
I also have a PoE switch Cisco SF302P that has CCTV cameras connected and a wireless AP Linksys WAP54GP that is PoE powered and knows about VLAN IDs.
( I cannot install another Asus AC68U in that zone because I cannot wire easily electrical wires and a power plug, this is why I stick to my almost 15-20 years old AP :) )
I was happy until recently having only one SSID configured on that AP, but now I would like to configure 2 SSIDs, having one of the SSIDs mapped to a VLAN that doesn't permit access to intranet, but permits access to internet (similar to Guest mode).

Now my question: Any guide that you would recommend?

I have read already dozens of forum articles here on SNB or on Reddit, I tried couple setups, but I could not figured it out. Also, I need to mention that I have very short times to test, mostly during nights as my wife works from home and also my kids are gaming day and night or listening online music and I cannot make easily changes or too many reboots (similar to production environment :), this is why I am asking for a HowTo that would be nice to find on the Github Merlin Docs page)
It would be nice find

There are a few asus Pro routers that support VLANs in beta firmware only.

The rest do not support VLAN officially. If you want to set it up, you need to search around here, find fragments of code that people have written, and modify it for your purpose. As @Tech9 said, it would make much more sense to just buy true VLAN capable hardware.

There is no guide or documentation, and it requires multiple reboots and testing to get right.
 
@DiliMe, since I see no need for speed nor you need it tomorrow - wait for sale prices and collect the hardware:

1x ER605 - $60 (usual price)
1x TL-SG108PE - $70 (currently on sale)
3x EAP225v3 - $60/each (currently on sale)

Keep the Cisco switch for your cameras. What you get is Gigabit wired capable with up to 550Mbps over Wi-Fi system for $310 (current Amazon USA prices). The switch is not Omada compatible, but has own GUI and the same physical size as the router (stacked look nice). You can run Omada SDN Controller software (free) on whatever you have available running Windows/Linux. Hardware controller is OC200 - if you want it independent ($100 extra), also PoE powered. Then play with VLANs the way you want. Replace the APs to Wi-Fi 6 models when you need to or start with EAP620 ($100/each, often on sale) right away - depending on your budget. One weekend you do the overhaul and make your family happy. Next weekend go out enjoy the summer.

Omada Controller emulator for an idea what it looks like:
 
This Linksys AP has to go immediately - museum item, security risk and perhaps bugging everting 2.4GHz around. The switch is >10-years old and has 10/100Mbps ports with Gigabit uplink - good for the cameras you currently have only. Asus RT-AC68U router is 10-years old - at the end of it's usable life. Not sure why you purchased another Asus router - perhaps AiMesh marketing in action. You need complete system overhaul HowTo. I would get rid of everything, get some money back and build something like Omada system all VLAN capable. Don't waste your time with this mix and match.
I agree to disagree with you.
Although I support the principle of buying new technology when needed and I was also very close on switching from Asus to Omada or Ubiquity, I haven't done it yet ... coming back to your suggestion to trash all devices that are > 10 years old, for the sake of the discussion and purely in theory, I consider I don't need to upgrade none.
* All my CCTV cameras have 10/100 ports, so there's no need to upgrade to gigabit switch yet
* Linksys AP, in terms of security is WPA2, which is at the same standard as 98% of consumer WiFi in the year of 2023 - I don't think there were any updates to WPA2 in the last 20 years, the next update is WPA3. With regards to the bugging of 2.4GHz around, I have it in the back of the garden where there are no other houses in the area, so there's not a problem.
:)
 
@DiliMe, since I see no need for speed nor you need it tomorrow - wait for sale prices and collect the hardware:

1x ER605 - $60 (usual price)
1x TL-SG108PE - $70 (currently on sale)
3x EAP225v3 - $60/each (currently on sale)

Keep the Cisco switch for your cameras. What you get is Gigabit wired capable with up to 550Mbps over Wi-Fi system for $310 (current Amazon USA prices). The switch is not Omada compatible, but has own GUI and the same physical size as the router (stacked look nice). You can run Omada SDN Controller software (free) on whatever you have available running Windows/Linux. Hardware controller is OC200 - if you want it independent ($100 extra), also PoE powered. Then play with VLANs the way you want. Replace the APs to Wi-Fi 6 models when you need to or start with EAP620 ($100/each, often on sale) right away - depending on your budget. One weekend you do the overhaul and make your family happy. Next weekend go out enjoy the summer.

Omada Controller emulator for an idea what it looks like:
Yes, I studied a few months ago pretty in detail the offering from the Omada line, though there were a few pros and cons ... anyway ... I haven't decided to make the move ... yet.
I think you "opened my eyes" a few years ago in a similar thread that I read here on the forum - Thank you for the details.
I am still not yet convinced to move out from Asus .... but I find all that VLAN complexity where there's no more a similar app to "robocfg" and also with 20 virtual interfaces to remember and understand, it makes the situation much more complex to configure.
Probably that post thread it's convincing me close to 99% to move out from Asus line.
Also, I find the PRO line pretty expensive for what it offers extra compared to normal ones.
 
There are a few asus Pro routers that support VLANs in beta firmware only.

The rest do not support VLAN officially. If you want to set it up, you need to search around here, find fragments of code that people have written, and modify it for your purpose. As @Tech9 said, it would make much more sense to just buy true VLAN capable hardware.

There is no guide or documentation, and it requires multiple reboots and testing to get right.
Yes,
I can see that since with the HND line of products it seems that it became much more complex to configure VLANs or maybe I haven't figured it out as long as 'robocfg' is missing.
Also it is scarry when you run "ifconfig" or "ip a" and it returns more than 20 interfaces.

I am not convinced to pay the price for the PRO line, I would rather move to Omada or Ubiquity.
 
I was also very close on switching from Asus to Omada or Ubiquity

What you are going to do is entirely your decision. I believe your working from home wife will appreciate and approve such upgrade.

I recommend hardware and software based on requirements. Looks like in your case continuing with home routers is a dead end strategy.
 
Yes,
I can see that since with the HND line of products it seems that it became much more complex to configure VLANs or maybe I haven't figured it out as long as 'robocfg' is missing.
Also it is scarry when you run "ifconfig" or "ip a" and it returns more than 20 interfaces.

I am not convinced to pay the price for the PRO line, I would rather move to Omada or Ubiquity.

It isn't that bad on the HND, but it is more complex. If you make use of the built in VLAN 501 and 502 that Asus puts on there when you enable Guest Wireless 1 it becomes easier, however you can do it without that too. There are a couple recent threads on here of people setting it up under both scenarios.

If you're just using it as an AP it is much easier, but can be done in router mode too.

There are lots of virtual interfaces, as long as you map out what each one does it is pretty straightforward.
 
Hi guys,
A short update is that I have discovered and then I realized it was also written on some forum posts that AX models with Guest wireless and "intranet access = disabled", are having all eth1-6 ports set automatically as Trunk ports.

As a last week recap, on the Cisco switch I was already having 2 trunk ports, first trunk port (GE1) that connects to the main AX router and the second trunk port (FE5) connected to the Linksys WAP54GP (that knows about VLANs but it seems there were some bugs in VLAN implementation and this was the culprit, so I trashed this old WAP :( ).
I discovered then by accident, when I put one of the switch ports (FE7) in Access Mode in VLAN 501... voila ... that laptop receives IP address via DHCP from the ASUS AX router in the 192.168.101.0/24 guest subnet, basically with the same restrictions as Guest wireless clients.
Then I have ordered a TP-Link EAP-Outdoor, I have tested it yesterday with one of the SSIDs set in Guest mode and had associated with VLAN 501 and it worked like a charm to serve Guest wireless clients from the same Asus DHCP server and with the same restrictions as the Asus wireless guest SSID.

To recap:
1) on the
Asus AX86S, all I did was to enable Guest wireless with "intranet access = Disabled", this creates new interfaces eth1.501, eth2.501 ... eth6.501 and binds them together with wl0.1 to bridge br1. The way Asus created interfaces, it puts all physical ports into Trunk mode allowing VLANs 1 and 501. Basically there's no need to ssh into Asus to change anything.

2) on the Cisco switch
...
...
...
!
interface vlan 501
name "Asus VLAN for Guest WiFi"
no snmp trap link-status
!
....
....
....
switch#show running-config interface GE1
interface gigabitethernet1
loopback-detection enable
description "To Asus AX86 router"
switchport trunk allowed vlan add 18,501
!
switch#show running-config interface FE5
interface fastethernet5
loopback-detection enable
description "To Wireless AP PoE TP-Link-EAP-Outdoor"
port security max 6
switchport trunk allowed vlan add 501
!
switch#show running-config interface FE7
interface fastethernet7
loopback-detection enable
description "To Testing laptop)"
switchport general pvid 501
switchport mode general
switchport general allowed vlan add 501 untagged
!
....
....

3) On the TP-Link-EAP
TP-Link-EAP-wireless-set1.jpg
TP-Link-EAP-wireless-set2.jpg
 
Last edited:
Now comes my next question.
On the Asus AX86S, how do I set eth1 (physical Port4) to be on VLAN 501 and act as Guest client?
Basically I want to have a device wired and connected to eth1 to have the same restrictions as Guest SSID clients.

On SNBForums and Reedit everyone creates new VLANs, I haven't found a solution for choosing the simple method and map eth1 to VLAN501 (that is already created by Asus).

What I did was to remove eth1 from br0 (LAN bridge), so for the moment I run a single command.

brctl delif br0 eth1

... hoping that eth1.501 remains only in br1 (Guest bridge), but still unfortunately the laptop connected to Port4 (eth1) doesn't receive IP address from the 192.168.101.0 DHCP pool.

This is how my config looks after brctl delif br0 eth1:

a@router:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.7c10c9b6cb28 yes eth2
eth3
eth4
eth5
eth5.0
eth6
eth6.0
br1 8000.7c10c9b6cb29 yes eth1.501
eth2.501
eth3.501
eth4.501
eth5.501
eth6.501
wl0.1

a@router:/tmp/home/root# ip -d link show eth1
14: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen
1000
link/ether 7c:10:c9:b6:cb:28 brd ff:ff:ff:ff:ff:ff promiscuity 1 addrgenmode eui64 numtxqueues 1 numrxqueues 1

a@router:/tmp/home/root# ip -d link show eth1.501
29: eth1.501@eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue master br1 state UP mode DEFAULT gr
oup default
link/ether 7c:10:c9:b6:cb:28 brd ff:ff:ff:ff:ff:ff promiscuity 1
vlan protocol 802.1Q id 501 <REORDER_HDR>
bridge_slave state forwarding priority 32 cost 19 hairpin off guard off root_block off fastleave off learning on flo
od on proxy_arp off proxy_arp_wifi off mcast_fast_leave off addrgenmode eui64 numtxqueues 1 numrxqueues 1

a@router:/tmp/home/root# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 7C:10:C9:B6:CB:28
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:182 errors:0 dropped:0 overruns:0 frame:0
TX packets:6735 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:63818 (62.3 KiB) TX bytes:833266 (813.7 KiB)

a@router:/tmp/home/root# ifconfig eth1.501
eth1.501 Link encap:Ethernet HWaddr 7C:10:C9:B6:CB:28
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:16283 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:1693591 (1.6 MiB)


Any guidance about the next step?
I don't want to mess the config of the VLAN501 and Guest SSID, I just need to have eth1 (Port4) to be member of the VLAN501 and receive IP from the Guest network.
I tried with this command disable and enable, but still no success
ethswctl -c hw-switching -o disable
 
Hi guys,
A short update is that I have discovered and then I realized it was also written on some forum posts that AX models with Guest wireless and "intranet access = disabled", are having all eth1-6 ports set automatically as Trunk ports.

Correct. With GW1 and Access Intranet disabled, in router mode, VLANs 50x are all tagged out of all the LAN ports (at the very least 1-4, not positive about 5-8 on the 8 port models, generally you want to avoid those anyway). In AP mode they are also tagged out the WAN port. So if you are happy using those VLAN IDs and the way they are laid out (501 for 2.4ghz, 502 for 5ghz, 503 for 5ghz-2 if you have it) then you don't need to do anything to pick them up with a smart switch.
 
Now comes my next question.
On the Asus AX86S, how do I set eth1 (physical Port4) to be on VLAN 501 and act as Guest client?
Basically I want to have a device wired and connected to eth1 to have the same restrictions as Guest SSID clients.

On HND it is pretty difficult, you have to get into pop tag and some more advanced stuff on the wired ports. You'd be better off just using your smart switch to do it, since as you've noticed it is already tagged out the ports on the Asus, then you can use your smart switch to set a port into untagged for that VLAN and you're good to go.

Not saying it isn't doable, search around this forum and you'll find examples, but if you already have smart switches easier to just use those (by far).

Switching the wireless around is much easier as you just have to move things around using brctl delif and addif.

Removing eth1 isn't what you want, the only way that would work is if the client supports VLAN tagging and you set it to VLAN 501, since now your eth1 port is no longer advertising VLAN 1 (the main ETH1 interface) only the tagged vlan 501 sub-interface.
 
Thank you man for your answers!

Not saying it isn't doable, search around this forum and you'll find examples, but if you already have smart switches easier to just use those (by far).
I searched the forum, but I haven't found something close, I think I'll open a new question here on the forum, to be more specific and hopefully it will help more people in the near future.

Removing eth1 isn't what you want, the only way that would work is if the client supports VLAN tagging and you set it to VLAN 501, since now your eth1 port is no longer advertising VLAN 1 (the main ETH1 interface) only the tagged vlan 501 sub-interface.
Yes, I realize that eth1 is advertised as tagged and in this case I would need on the other end a device that understands 802.1Q.

Basically what I need next is to modify eth1 from Tagged to Untagged and keep it associated with VLAN501, but I don't understand "vlanctl" and its options to pop and push tags.
 
Thank you man for your answers!


I searched the forum, but I haven't found something close, I think I'll open a new question here on the forum, to be more specific and hopefully it will help more people in the near future.


Yes, I realize that eth1 is advertised as tagged and in this case I would need on the other end a device that understands 802.1Q.

Basically what I need next is to modify eth1 from Tagged to Untagged and keep it associated with VLAN501, but I don't understand "vlanctl" and its options to pop and push tags.

There are examples floating around but it would be much easier to just use your smart switch to do it. Trunk the Asus to the smart switch, then set a port on the smart switch into VLAN 501 untagged, that takes care of the pop/push for you.

If you need it untagged from the router port, then search here for "vlanctl" I know I've seen examples with pop and push tag. You need to pop (remove) the tag on the egress and push (add) it on the ingress.
 
Thank you man for your answers!


I searched the forum, but I haven't found something close, I think I'll open a new question here on the forum, to be more specific and hopefully it will help more people in the near future.


Yes, I realize that eth1 is advertised as tagged and in this case I would need on the other end a device that understands 802.1Q.

Basically what I need next is to modify eth1 from Tagged to Untagged and keep it associated with VLAN501, but I don't understand "vlanctl" and its options to pop and push tags.

You're going to have to toy with it but I believe this is along the lines of what you need (or a starting point). But much easier to just do it on your switch.

vlanctl --if eth1 --rx --tags 1 --filter-vid 501 0 --pop-tag --set-rxif eth1.v501 --rule-append
vlanctl --if eth1 --tx --tags 0 --filter-txif eth1.v501 --push-tag --set-vid 501 0 --rule-append
 
There are examples floating around but it would be much easier to just use your smart switch to do it. Trunk the Asus to the smart switch, then set a port on the smart switch into VLAN 501 untagged, that takes care of the pop/push for you.
The way this computer is set in the room, it sits very close the AX86S and it would be hard (let's say some furniture redesign) to move it. Rather I would buy a cheap smart-switch, but I don't intend.
I'm intrigued that such an basic task is so hard to set on these HND routers.

vlanctl --if eth1 --rx --tags 1 --filter-vid 501 0 --pop-tag --set-rxif eth1.v501 --rule-append
this doesn't work, I receive error
[ERROR vlanctl] vlanCtl_insertTagRule, 470: Invalid argument

I think it is in the syntax 501 or v501 sometimes ... I'm not sure.

* Following this post I have tried these commands to untagg eth1, but still no success in receiving IP address over DHCP, also I am frustrated that I don't know how to verify/show what kind of vlans are created and the association with the virtual interfaces.

# Create the new subinterface for eth1 to be the Native VLAN (Untagged)
vlanctl --if-create eth1 0
vlanctl --if eth1 --rx --tags 0 --set-rxif eth1.v0 --rule-append
vlanctl --if eth1 --tx --tags 0 --filter-txif eth1.v0 --rule-append
ifconfig eth1.v0 up

# Add eth1.v0 subinterface (untagged VLAN) into the bridge br1
brctl addif br1 eth1.v0

# Remove eth1 interface (?tagged or untagged?) from the bridge br0 (intranet)
brctl delif br0 eth1
 
The way this computer is set in the room, it sits very close the AX86S and it would be hard (let's say some furniture redesign) to move it. Rather I would buy a cheap smart-switch, but I don't intend.
I'm intrigued that such an basic task is so hard to set on these HND routers.


this doesn't work, I receive error
[ERROR vlanctl] vlanCtl_insertTagRule, 470: Invalid argument

I think it is in the syntax 501 or v501 sometimes ... I'm not sure.

* Following this post I have tried these commands to untagg eth1, but still no success in receiving IP address over DHCP, also I am frustrated that I don't know how to verify/show what kind of vlans are created and the association with the virtual interfaces.

# Create the new subinterface for eth1 to be the Native VLAN (Untagged)
vlanctl --if-create eth1 0
vlanctl --if eth1 --rx --tags 0 --set-rxif eth1.v0 --rule-append
vlanctl --if eth1 --tx --tags 0 --filter-txif eth1.v0 --rule-append
ifconfig eth1.v0 up

# Add eth1.v0 subinterface (untagged VLAN) into the bridge br1
brctl addif br1 eth1.v0

# Remove eth1 interface (?tagged or untagged?) from the bridge br0 (intranet)
brctl delif br0 eth1

Unfortunately I don't have an HND to try it on but as far as I know you want to stick with the eth1.501 (or vlan 501) interface and just pop and push the tags. Vlan 0 isn't going to work so get rid of that stuff. Similar to how on a smart switch you have to set the "Port VLAN ID" to 501, that basically strips the tag on the way out and adds it on the way in.

Just play with the syntax, it may be eth0.501, may just be 501. Essentially the two rules are telling it to remove the tag from VLAN 501 frames as they exit the port (so the PC doesn't need to know the VLAN) and then add the tag to all untagged frames as they enter the port (so it goes into VLAN501 as it heads up to the router). Remember, the ports are often numbered backwards on some of these routers, so eth1 may be port 8 or 4. You need to plug and unplug and watch ifconfig to see which port goes up and down, then you know.

You may end up just wanting to get a $20 5 port smart switch and be done with it, but if you keep toying with it you'll probably figure it out.

To view status it is something like vlanctl --if eth1 --show-table, or you may have to specify the VLAN in there too.
 
Here is an old thread showing how to setup with cheap switch, screenshots, etc.

 
Here is an old thread showing how to setup with cheap switch, screenshots, etc.


It is a lot easier than that now, when you enable guest network 1 with access LAN disabled on 386 code base, it automatically sends both guest VLANs tagged out of all LAN ports, so any smart switch with VLAN support will automatically work as long as you match the VLAN IDs (501 and 502). OP is looking to do it directly from the router if possible to avoid putting another switch in the path unnecessarily, however that's probably going to end up being the easiest solution.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top