multi SSID with VLAN script, for ASUS AC86U with merlin

services-start.sh

#!/bin/sh

# multi SSID with VLAN script, for ASUS AC86U with merlin
#
# setup before hand:
#       set "router" to "AP Mode"
#               this will put all ports and wireless in br0
#       create 2 guest network
#       enable Administration => System => Enable JFFS custom scripts and configs
#       put this script in /jffs/scripts/, name should be "services-start"
#               remember `chmod a+x services-start`
#       I strongly suggest you use static IP instead of DHCP
#               In my test, the "router" will pickup DHCP lease from VLAN 1 instead of VLAN 227
#       reboot
# some basic info of the original AP mode:
#       eth0 => WAN port
#       eth1~4 => LAN port 4~1, they're reversed
#       eth5 => WiFi 2.4G
#       eth6 => WiFi 5G
#       wl0.1, wl0.2 => WiFi 2.4G guest networks
# this setup:
#       WAN port (eth0) will be repurposed as a tagged port
#       LAN ports (eth1~4) and primary WiFi (eth5,6) will be on VLAN 227
#       guest network 1 will be on VLAN 11
#       guest network 2 will be on VLAN 12

#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log

# echo $PATH > /tmp/script_debug

# remove eth0 which will be reconfigured as a tagged port
brctl delif br0 eth0
# remove interfaces we're gonna move to other bridges
brctl delif br0 wl0.1
brctl delif br0 wl0.2

# add vlans
# interestingly, depending on the time passed since system boot,
# vlan interfaces will be named eth0.1 or vlan1, I guess some udev rules got loaded.
# so we use ip link instead of vconfig to specify a name explicitly.
ip link add link eth0 name eth0.227 type vlan id 227
ip link add link eth0 name eth0.11 type vlan id 11
ip link add link eth0 name eth0.12 type vlan id 12
ip link set eth0.227 up
ip link set eth0.11 up
ip link set eth0.12 up

# reconfigure br0, private LAN
brctl addif br0 eth0.227

# set up br1, guest LAN
brctl addbr br1
brctl addif br1 eth0.11
brctl addif br1 wl0.1
ip link set br1 up

# set up br2, another guest LAN for IoT devices
brctl addbr br2
brctl addif br2 eth0.12
brctl addif br2 wl0.2
ip link set br2 up

# seems like eapd reads config from these
# no need to set lan_ifname since it's already there
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"

nvram set lan1_ifnames="wl0.1 eth0.11"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="wl0.2 eth0.12"
nvram set lan2_ifname="br2"

# doesn't seem to affect anything, just make it align
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"

nvram set br1_ifnames="wl0.1 eth0.11"
nvram set br1_ifname="br1"

nvram set br2_ifnames="wl0.2 eth0.12"
nvram set br2_ifname="br2"

# we do NOT issue `nvram commit` here since it won't survive reboot anyway

# is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

#echo "============== START 2 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 2 $(date) ==================" >> /jffs/scripts/log

Will this might work with officialf firmware for ASUS AC86U?

It should work, but official firmware doesn't support JFFS custom scripts IIRC, you'll need a usb drive to run this at start.

thank you Jimmy-z

Is there any simple solution to have a rt-68u as AP connected to the rt-86u running this script, so the AP extend the range of the VLAN as well?

I don't know, put it in extender mode and take a look at the setup(ip addr, brctl show, nvram show ...), that's where I started. I'd always recommend a wired connection though.

Thanks!

Hi, are you sure this script really work? This works very well for linux system, openwrt (I tested in a raspberry pi 3), but for AC86U I tried using this one, also using vconfig, it doesn't matter how it is configured, the only thing that really worked for me was using VLANCTL.....

Yeah you can't get it to work so I must have posted something I didn't test, sounds reasonable.

Yeah you can't get it to work so I must have posted something I didn't test, sounds reasonable.

I’m sorry! Not my intention.....
I have tested it for eth2, it start sending packets and suddenly stop, I could not figure out why. I found you proposed for eth0, maybe there is some difference using this interface. Do you know?

That, I didn't test, I can confirm the original script worked as is, past tense as I don't have that setup anymore, so I'm sorry I can't test that for you.

Thanks for feedback and support, I will perform some additional tests.

Brilliant writeup.

Three quick questions (if I may):

1. If I need to enable intraSSID security or AP Isolated mode, to prevent devices on same SSID talking to each other, how do I configure that?
2. Can the names of the SSIDs be configured/customized?
3. Can I run the management VLAN as untagged? (Which I assume will be by removing the lines that configure eth0.227, and VLAN 227)

1. I guess it should work just as before, I have never used that feature though.
2. Of course.
3. It should work, but again I have not tested that.

Thanks Jimmy. I will give it a shot on my AC66U today and get back to this thread with feedback.

Ok, so some trouble in paradise. Seems like I don't have 'add' option under 'ip link'.

Anyway around this?

ERROR: Command "add" is unknown, try "ip link help"

I suppose ac66u doesn't come with that then.

ASUS ac66u_b1 switch hardware model is different with ac86U，I forked your script and support ac66u_b1 on merlin now. Thanks.

@Jimmy-Z can I use this approach to setup ISP provided VLANs trunk (they trunk Internet and IPTV) as passthrough at one of the points, instead of the forced split to ports 3 & 4 AsusWRT defaults to? I'd love to avoid having to buy a new managed switch just to re-trunk it all (since I need both VLANS at one port due to limited cabling).

@tubaxiaosiji Nice work, hope @TheEngineerGuy could see that.

@tjukic It should work, just setup another port as trunk.

@tubaxiaosiji Nice work, hope @TheEngineerGuy could see that.

@tjukic It should work, just setup another port as trunk.

I had solved it after our conversation last month, ended up using vconfig for my purposes. But I ran across two challenges, which are ASUS centric, and can't be solved (to my understanding), so I dropped the idea of using this router as my AP, and got a Cisco AP instead.

1. Unable to Run 'Smart connect' on guest SSIDs
2. Unable to apply 'AP Isolated mode' across two frequencies, which means that if one device connects to 2GHz and other connects to 5GHz on same SSIDs, they can speak to each other even with 'AP Isolated mode' enabled.

On Cisco, this was quite easy to fix.
-Enabled smart connect across all SSIDs, one command to do it.
-And for AP Isolated, I just added both 2GHz and 5GHz VLAN sub-interfaces for that SSID to the same bridge port group, and enabled protection on the bridge port group.

Viola, devices for that SSID now can connect to 5GHz or 2.4GHz using smart connect, and can't communicate to each other, no matter which frequency they are on.

If anyone has a way of doing this on Asus, please let me know.

I've got a REALLY simple bridge -

br1             8000.244bfe0a08c9       yes             bond0.12
                                                        wl0.1

I'm able to ping my DHCP server from my router -

me@RT-AX88U-08C8:/jffs# ping 10.250.99.3 -I br1
PING 10.250.99.3 (10.250.99.3): 56 data bytes
64 bytes from 10.250.99.3: seq=0 ttl=64 time=0.818 ms
64 bytes from 10.250.99.3: seq=1 ttl=64 time=0.698 ms
^C
--- 10.250.99.3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.698/0.758/0.818 ms

me@RT-AX88U-08C8:/jffs#

I see traffic come in the wl0.1 interface -

23:51:35.011103 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from my:ph:0n:3f:00:b4 (oui Unknown), length 286
23:51:36.944442 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from my:ph:0n:3f:00:b4 (oui Unknown), length 286

but I do not see that traffic exit my bond0.12 interface. Anyone have any insight into what the hell is going on here? I've been pulling my hair out for two days trying to get this to work.

Edit: Found it - ebtables - didn't know that was a thing. Once I cleared out those blocks all was well.

Thanks Jimmy, great work...how would i go about having 86u as a AP with vlan ssids segregating those ssid vlans to a pfsense\opnsense ??

It should work, but official firmware doesn't support JFFS custom scripts IIRC, you'll need a usb drive to run this at start.

Please help me run this script on official firmware. Thanks.