| #!/bin/sh | |
| # multi SSID with VLAN script, for ASUS AC86U with merlin | |
| # | |
| # setup before hand: | |
| # set "router" to "AP Mode" | |
| # this will put all ports and wireless in br0 | |
| # create 2 guest network | |
| # enable Administration => System => Enable JFFS custom scripts and configs | |
| # put this script in /jffs/scripts/, name should be "services-start" | |
| # remember `chmod a+x services-start` | |
| # I strongly suggest you use static IP instead of DHCP | |
| # In my test, the "router" will pickup DHCP lease from VLAN 1 instead of VLAN 227 | |
| # reboot | |
| # some basic info of the original AP mode: | |
| # eth0 => WAN port | |
| # eth1~4 => LAN port 4~1, they're reversed | |
| # eth5 => WiFi 2.4G | |
| # eth6 => WiFi 5G | |
| # wl0.1, wl0.2 => WiFi 2.4G guest networks | |
| # this setup: | |
| # WAN port (eth0) will be repurposed as a tagged port | |
| # LAN ports (eth1~4) and primary WiFi (eth5,6) will be on VLAN 227 | |
| # guest network 1 will be on VLAN 11 | |
| # guest network 2 will be on VLAN 12 | |
| #echo "============== START 1 $(date) ==================" >> /jffs/scripts/log | |
| #ip a >> /jffs/scripts/log | |
| #ip r >> /jffs/scripts/log | |
| #brctl show >> /jffs/scripts/log | |
| #echo "============== END 1 $(date) ==================" >> /jffs/scripts/log | |
| # echo $PATH > /tmp/script_debug | |
| # remove eth0 which will be reconfigured as a tagged port | |
| brctl delif br0 eth0 | |
| # remove interfaces we're gonna move to other bridges | |
| brctl delif br0 wl0.1 | |
| brctl delif br0 wl0.2 | |
| # add vlans | |
| # interestingly, depending on the time passed since system boot, | |
| # vlan interfaces will be named eth0.1 or vlan1, I guess some udev rules got loaded. | |
| # so we use ip link instead of vconfig to specify a name explicitly. | |
| ip link add link eth0 name eth0.227 type vlan id 227 | |
| ip link add link eth0 name eth0.11 type vlan id 11 | |
| ip link add link eth0 name eth0.12 type vlan id 12 | |
| ip link set eth0.227 up | |
| ip link set eth0.11 up | |
| ip link set eth0.12 up | |
| # reconfigure br0, private LAN | |
| brctl addif br0 eth0.227 | |
| # set up br1, guest LAN | |
| brctl addbr br1 | |
| brctl addif br1 eth0.11 | |
| brctl addif br1 wl0.1 | |
| ip link set br1 up | |
| # set up br2, another guest LAN for IoT devices | |
| brctl addbr br2 | |
| brctl addif br2 eth0.12 | |
| brctl addif br2 wl0.2 | |
| ip link set br2 up | |
| # seems like eapd reads config from these | |
| # no need to set lan_ifname since it's already there | |
| nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227" | |
| nvram set lan1_ifnames="wl0.1 eth0.11" | |
| nvram set lan1_ifname="br1" | |
| nvram set lan2_ifnames="wl0.2 eth0.12" | |
| nvram set lan2_ifname="br2" | |
| # doesn't seem to affect anything, just make it align | |
| nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227" | |
| nvram set br1_ifnames="wl0.1 eth0.11" | |
| nvram set br1_ifname="br1" | |
| nvram set br2_ifnames="wl0.2 eth0.12" | |
| nvram set br2_ifname="br2" | |
| # we do NOT issue `nvram commit` here since it won't survive reboot anyway | |
| # is there a better way to do this like `service restart eapd` ? | |
| killall eapd | |
| eapd | |
| #echo "============== START 2 $(date) ==================" >> /jffs/scripts/log | |
| #ip a >> /jffs/scripts/log | |
| #ip r >> /jffs/scripts/log | |
| #brctl show >> /jffs/scripts/log | |
| #echo "============== END 2 $(date) ==================" >> /jffs/scripts/log |
It should work, but official firmware doesn't support JFFS custom scripts IIRC, you'll need a usb drive to run this at start.
thank you Jimmy-z
Is there any simple solution to have a rt-68u as AP connected to the rt-86u running this script, so the AP extend the range of the VLAN as well?
I don't know, put it in extender mode and take a look at the setup(ip addr, brctl show, nvram show ...), that's where I started. I'd always recommend a wired connection though.
Thanks!
Hi, are you sure this script really work? This works very well for linux system, openwrt (I tested in a raspberry pi 3), but for AC86U I tried using this one, also using vconfig, it doesn't matter how it is configured, the only thing that really worked for me was using VLANCTL.....
Yeah you can't get it to work so I must have posted something I didn't test, sounds reasonable.
Yeah you can't get it to work so I must have posted something I didn't test, sounds reasonable.
I’m sorry! Not my intention.....
I have tested it for eth2, it start sending packets and suddenly stop, I could not figure out why. I found you proposed for eth0, maybe there is some difference using this interface. Do you know?
That, I didn't test, I can confirm the original script worked as is, past tense as I don't have that setup anymore, so I'm sorry I can't test that for you.
Thanks for feedback and support, I will perform some additional tests.
Brilliant writeup.
Three quick questions (if I may):
- If I need to enable intraSSID security or AP Isolated mode, to prevent devices on same SSID talking to each other, how do I configure that?
- Can the names of the SSIDs be configured/customized?
- Can I run the management VLAN as untagged? (Which I assume will be by removing the lines that configure eth0.227, and VLAN 227)
- I guess it should work just as before, I have never used that feature though.
- Of course.
- It should work, but again I have not tested that.
Thanks Jimmy. I will give it a shot on my AC66U today and get back to this thread with feedback.
Ok, so some trouble in paradise. Seems like I don't have 'add' option under 'ip link'.
Anyway around this?
ERROR: Command "add" is unknown, try "ip link help"
I suppose ac66u doesn't come with that then.
ASUS ac66u_b1 switch hardware model is different with ac86U,I forked your script and support ac66u_b1 on merlin now. Thanks.
@Jimmy-Z can I use this approach to setup ISP provided VLANs trunk (they trunk Internet and IPTV) as passthrough at one of the points, instead of the forced split to ports 3 & 4 AsusWRT defaults to? I'd love to avoid having to buy a new managed switch just to re-trunk it all (since I need both VLANS at one port due to limited cabling).
@tubaxiaosiji Nice work, hope @TheEngineerGuy could see that.
@tjukic It should work, just setup another port as trunk.
@tubaxiaosiji Nice work, hope @TheEngineerGuy could see that.
@tjukic It should work, just setup another port as trunk.
I had solved it after our conversation last month, ended up using vconfig for my purposes. But I ran across two challenges, which are ASUS centric, and can't be solved (to my understanding), so I dropped the idea of using this router as my AP, and got a Cisco AP instead.
- Unable to Run 'Smart connect' on guest SSIDs
- Unable to apply 'AP Isolated mode' across two frequencies, which means that if one device connects to 2GHz and other connects to 5GHz on same SSIDs, they can speak to each other even with 'AP Isolated mode' enabled.
On Cisco, this was quite easy to fix.
-Enabled smart connect across all SSIDs, one command to do it.
-And for AP Isolated, I just added both 2GHz and 5GHz VLAN sub-interfaces for that SSID to the same bridge port group, and enabled protection on the bridge port group.
Viola, devices for that SSID now can connect to 5GHz or 2.4GHz using smart connect, and can't communicate to each other, no matter which frequency they are on.
If anyone has a way of doing this on Asus, please let me know.
I've got a REALLY simple bridge -
br1 8000.244bfe0a08c9 yes bond0.12
wl0.1
I'm able to ping my DHCP server from my router -
me@RT-AX88U-08C8:/jffs# ping 10.250.99.3 -I br1
PING 10.250.99.3 (10.250.99.3): 56 data bytes
64 bytes from 10.250.99.3: seq=0 ttl=64 time=0.818 ms
64 bytes from 10.250.99.3: seq=1 ttl=64 time=0.698 ms
^C
--- 10.250.99.3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.698/0.758/0.818 ms
me@RT-AX88U-08C8:/jffs#
I see traffic come in the wl0.1 interface -
23:51:35.011103 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from my:ph:0n:3f:00:b4 (oui Unknown), length 286
23:51:36.944442 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from my:ph:0n:3f:00:b4 (oui Unknown), length 286
but I do not see that traffic exit my bond0.12 interface. Anyone have any insight into what the hell is going on here? I've been pulling my hair out for two days trying to get this to work.
Edit: Found it - ebtables - didn't know that was a thing. Once I cleared out those blocks all was well.
Thanks Jimmy, great work...how would i go about having 86u as a AP with vlan ssids segregating those ssid vlans to a pfsense\opnsense ??
It should work, but official firmware doesn't support JFFS custom scripts IIRC, you'll need a usb drive to run this at start.
Please help me run this script on official firmware. Thanks.
@Jimmy-Z Thanks for the script! I seem to have two issues
- On first boot, wired, I get handed the DHCP address from my router, not the VLAN and I can access the AP (rt-ac86u) just fine, but I cannot access my firewall device (pfsense)
- If I disconnect the cable and reconnect I get the correct VLAN address (227). However now I can't access the AP, but I can access my firewall.
- All of the guest wireless work fine and map to the correct VLAN, however even though they are given full access (for the moment) they also cannot see the AP either, but have no issue seeing the firewall.
- The main SSID maps to the correct VLAN 227, but same problem firewall access, but no AP.
Normal non-jffs scripted configuration works fine, obvious no VLAN tagging, but I cannot figure out what would create this scenario. This is also in a lab environment where my firewall is pulling a private IP, while I sort this out, but that hasn't created issues in the past with device that say support VLAN tagging out of the gate.
Curious if this rings any bells for how something could be misconfigured. Thanks!
To get this work on the RT-AC3100, I had to add some robocfg commands at then end. I didn't check what parts of the script are necessary for the RT-AC3100, so I just added it to the end of the script before the eapd restart. Also on RT-AC3100, eth1 and eth2 are the wifi interfaces.
# using VLAN 10, 4 is the WAN port
robocfg vlan 10 ports "4t 8t"
nvram set vlan10ports="4t 8t"
Also, for anyone wondering how to get the script to run on reboot using a USB stick and stock firmware
- ssh into the router
- copy script to jffs folder (for example I named it
setup_vlans.sh) - make script executable:
chmod +x setup_vlans.sh - set nvram variable to run script on startup:
nvram set script_usbmount="/jffs/setup_vlans.sh" nvram commit- Plug in USB drive and leave in router
- (Optional) Make a backup of the script on the usb drive so you don't lose it if you have reset your router:
mkdir -p /tmp/USB; mount /dev/sda /tmp/USB; cp /jffs/setup_vlans.sh /tmp/USB/; umount /tmp/USB
@LeeGDavis I'd be glad to help but I didn't have your problem during the period that I was using this solution, and as I said before, I don't have this setup anymore.
@jrnewell and everyone, I'd recommend only using this script (and adapt to your situation of course) if you can understand what every command does, this gist serves more like a note instead of a take and go solution.
Will this might work with officialf firmware for ASUS AC86U?