multi SSID with VLAN script, for ASUS AC86U with merlin

services-start.sh

#!/bin/sh

# multi SSID with VLAN script, for ASUS AC86U with merlin
#
# setup before hand:
#       set "router" to "AP Mode"
#               this will put all ports and wireless in br0
#       create 2 guest network
#       enable Administration => System => Enable JFFS custom scripts and configs
#       put this script in /jffs/scripts/, name should be "services-start"
#               remember `chmod a+x services-start`
#       I strongly suggest you use static IP instead of DHCP
#               In my test, the "router" will pickup DHCP lease from VLAN 1 instead of VLAN 227
#       reboot
# some basic info of the original AP mode:
#       eth0 => WAN port
#       eth1~4 => LAN port 4~1, they're reversed
#       eth5 => WiFi 2.4G
#       eth6 => WiFi 5G
#       wl0.1, wl0.2 => WiFi 2.4G guest networks
# this setup:
#       WAN port (eth0) will be repurposed as a tagged port
#       LAN ports (eth1~4) and primary WiFi (eth5,6) will be on VLAN 227
#       guest network 1 will be on VLAN 11
#       guest network 2 will be on VLAN 12

#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log

# echo $PATH > /tmp/script_debug

# remove eth0 which will be reconfigured as a tagged port
brctl delif br0 eth0
# remove interfaces we're gonna move to other bridges
brctl delif br0 wl0.1
brctl delif br0 wl0.2

# add vlans
# interestingly, depending on the time passed since system boot,
# vlan interfaces will be named eth0.1 or vlan1, I guess some udev rules got loaded.
# so we use ip link instead of vconfig to specify a name explicitly.
ip link add link eth0 name eth0.227 type vlan id 227
ip link add link eth0 name eth0.11 type vlan id 11
ip link add link eth0 name eth0.12 type vlan id 12
ip link set eth0.227 up
ip link set eth0.11 up
ip link set eth0.12 up

# reconfigure br0, private LAN
brctl addif br0 eth0.227

# set up br1, guest LAN
brctl addbr br1
brctl addif br1 eth0.11
brctl addif br1 wl0.1
ip link set br1 up

# set up br2, another guest LAN for IoT devices
brctl addbr br2
brctl addif br2 eth0.12
brctl addif br2 wl0.2
ip link set br2 up

# seems like eapd reads config from these
# no need to set lan_ifname since it's already there
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"

nvram set lan1_ifnames="wl0.1 eth0.11"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="wl0.2 eth0.12"
nvram set lan2_ifname="br2"

# doesn't seem to affect anything, just make it align
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"

nvram set br1_ifnames="wl0.1 eth0.11"
nvram set br1_ifname="br1"

nvram set br2_ifnames="wl0.2 eth0.12"
nvram set br2_ifname="br2"

# we do NOT issue `nvram commit` here since it won't survive reboot anyway

# is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

#echo "============== START 2 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 2 $(date) ==================" >> /jffs/scripts/log

@LeeGDavis I'd be glad to help but I didn't have your problem during the period that I was using this solution, and as I said before, I don't have this setup anymore.

@jrnewell and everyone, I'd recommend only using this script (and adapt to your situation of course) if you can understand what every command does, this gist serves more like a note instead of a take and go solution.

Fantastic work! Thank you a lot @Jimmy-Z !

Got it working with RT-AX82U.

Here is full wall of text which I just copy & pasted to SSH client:

ip="10.14.15.15" # Default network static IP
vlanId1=50 # Default network VLAN ID
vlanId2=60 # Guest network 1 VLAN ID
vlanId3=70 # Guest network 2 VLAN ID

script="/jffs/scripts/services-start"

tee "${script}" > /dev/null << EOF
#!/bin/sh

# Ports in RT-AX82U:
# eth0 = LAN4
# eth1 = LAN3
# eth2 = LAN2
# eth3 = LAN1
# eth4 = WAN
# eth5 = 2.4 GHz
# eth6 = 5 GHz
# wl0.1 = Guest 1
# wl0.2 = Guest 2

# Tagged to WAN port (eth4):
# Default network: br0, vlan id ${vlanId1}
# Guest network 1: br1, vlan id ${vlanId2}
# Guest network 2: br2, vlan id ${vlanId3}

# Remove default configs
brctl delif br0 eth4
brctl delif br0 wl0.1
brctl delif br0 wl0.2

# Add VLANs
ip link add link eth4 name eth4.${vlanId1} type vlan id ${vlanId1}
ip link add link eth4 name eth4.${vlanId2} type vlan id ${vlanId2}
ip link add link eth4 name eth4.${vlanId3} type vlan id ${vlanId3}
ip link set eth4.${vlanId1} up
ip link set eth4.${vlanId2} up
ip link set eth4.${vlanId3} up

# Default network
ifconfig br0 "${ip}" netmask 255.255.255.0
brctl addif br0 eth4.${vlanId1}
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"

# Guest network 1
brctl addbr br1
brctl addif br1 eth4.${vlanId2}
brctl addif br1 wl0.1
ip link set br1 up
nvram set lan1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set br1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set wl0.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1

# Guest network 2
brctl addbr br2
brctl addif br2 eth4.${vlanId3}
brctl addif br2 wl0.2
ip link set br2 up
nvram set lan2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set br2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"
nvram set wl0.2_ap_isolate=1
wl -i wl0.2 ap_isolate 1

# Restart eapd
killall eapd
eapd
EOF

chmod a+x "${script}"
reboot

@Knud3 , I want to do this to AX88U with pfsense as router and a managed switch passing these values. Will this script work in this scenario?

@Knud3 , I want to do this to AX88U with pfsense as router and a managed switch passing these values. Will this script work in this scenario?

Do not know about AX88U, but I have exact that setup, pfSense and HP managed switches. Works really well.

I have managed to get VLAN working on AX88U, however, I cannot login to the web interface again. Any idea how to solve this

@Jimmy-Z , I modified the script to work on AX88U and it is routing Vlans correctly, Howver, I am locked out of the router login page. Do you have any idea what could have caused this or how to fix?

Thanks alot @Jimmy-Z and @Knud3 . I made this work on AX88U. My setup is PFsense + managed switch and 3 VLAN. Here is the modified script. Just the ports are a little different but everything is the same.

#ip="10.27.27.8" # Default network static IP
vlanId1=50 # Default network VLAN ID
vlanId2=60 # Guest network 1 VLAN ID
vlanId3=70 # Guest network 2 VLAN ID

script="/jffs/scripts/services-start"

tee "${script}" > /dev/null << EOF
#!/bin/sh

# Ports in RT-AX88U:
# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   Bridge of LAN 5, LAN 6, LAN 7, LAN 8
# eth6   2.4 GHz Radio
# eth7   5 GHz Radio
# wl0.1 = Guest 1
# wl0.2 = Guest 2


# Tagged to WAN port (eth0):
# Default network: br0, vlan id ${vlanId1}
# Guest network 1: br1, vlan id ${vlanId2}
# Guest network 2: br2, vlan id ${vlanId3}

# Remove default configs
brctl delif br0 eth0
brctl delif br0 wl0.1
brctl delif br0 wl1.1

# Add VLANs
ip link add link eth0 name eth0.${vlanId1} type vlan id ${vlanId1}
ip link add link eth0 name eth0.${vlanId2} type vlan id ${vlanId2}
ip link add link eth0 name eth0.${vlanId3} type vlan id ${vlanId3}
ip link set eth0.${vlanId1} up
ip link set eth0.${vlanId2} up
ip link set eth0.${vlanId3} up

# Default network
#ifconfig br0 "${ip}" netmask 255.255.255.0
brctl addif br0 eth0.${vlanId1}
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth0.${vlanId1}"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth0.${vlanId1}"

# Guest network 1
brctl addbr br1
brctl addif br1 eth0.${vlanId2}
brctl addif br1 wl0.1
ip link set br1 up
nvram set lan1_ifnames="wl0.1 eth0.${vlanId2}"
nvram set br1_ifnames="wl0.1 eth0.${vlanId2}"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set wl0.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1

# Guest network 2
brctl addbr br2
brctl addif br2 eth0.${vlanId3}
brctl addif br2 wl1.1
ip link set br2 up
nvram set lan2_ifnames="wl1.1 eth0.${vlanId3}"
nvram set br2_ifnames="wl1.1 eth0.${vlanId3}"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"
nvram set wl0.2_ap_isolate=1
wl -i wl1.1 ap_isolate 1

# Restart eapd
killall eapd
eapd
EOF

chmod a+x "${script}"
reboot

@demarey-baker How were you able to get to the Web UI? I have tried this multiple times and it seems like the connected interface is not a trunk port.

Should be Pfsense (Trunk Port) > Managed Switch (Trunk Port) > Asus (Trunk Port) > SSID's tagged for VLAN traffic

@robertr1229 tell more about your setup. Especially what you mean by trunk port? pfSense do not have trunk ports nor Asus. You have Cisco switch with DTP/VTP? Maybe just tell which networks you have VLAN tagged/untagged and which ports.

@robertr1229 , yes I got the webgui to work. Make sure you set the static ipaddress for the router as part of the main vlan. My problem was that I think it would be apart of the main network so I didn't have any access even though the vlan worked. Let me know if you have any other questions. Also, which router are you using exactly?
For reference this is my setup.
PFsense native lan : 10.27.27.0/24
VLAN 50 :10.27.50.0/24
VLAN 60 :10.27.60.0/24
VLAN 70 :10.27.70.0/24
I gave Asus router static address of 10.27.50.10 before running the script and I can always address it on that. Prior to this, I was doing it from native lan and it would always lose access. Everything works fine now but the vlans normally get messed up if you change the wifi settings like passwords etc but after a reboot everything works fine.

@robertr1229 tell more about your setup. Especially what you mean by trunk port? pfSense do not have trunk ports (I have heard some rack Netgate models have, but I doubt that you have one) nor Asus. You have Cisco switch with DTP/VTP? Maybe just tell which networks you have VLAN tagged/untagged and which ports.

I think the issue is not setting a static IP before running the script. As for Trunk ports. That is not a physical port. A Trunk port is used to transmit multiple tagged VLANS on a single port or "VLAN Aware" Asus Merlin may not be able to support it but PFSense definitely can. As well as any managed switch.

I also just saw your config for the RT-AX82U. I am using the same device and will give it a try. I would like to have Trunking but I can live with just setting it up on a Native VLAN.

Yes, I know what trunk ports are used for. pfSense definately supports tagging VLANs on single physical port, but if we are really talking about 802.1Q trunking it (DTP/VTP) is Cisco proprietary protocol. Other place where trunking word is sometimes used is link aggregation ("port trunking").

This thread was all very helpful in figuring this out.
I'm on an AX-58U. For some reason, all the wifi connections (guest networks and eth5-6) work without issue. Even though I have eth0-3 configured the exact same way and on the same vlan, they are only able to reach the AX-58U and other devices connected directly to it. Wifi devices can ping the gateway, reach the internet and opnnsense settings no problem.
I've been trying things for a couple days now. I'd love any help. Thanks in advance

Script:

#!/bin/sh

ip="192.168.85.2"
vlanId1=1 # Default network VLAN ID
vlanId2=30 # Guest network 1 VLAN ID
vlanId3=20 # Guest network 2 VLAN ID


# Remove default configs
brctl delif br0 eth4
brctl delif br0 wl0.1
brctl delif br0 wl0.2

# Add VLANs
ip link add link eth4 name eth4.${vlanId1} type vlan id ${vlanId1}
ip link add link eth4 name eth4.${vlanId2} type vlan id ${vlanId2}
ip link add link eth4 name eth4.${vlanId3} type vlan id ${vlanId3}
ip link set eth4.${vlanId1} up
ip link set eth4.${vlanId2} up
ip link set eth4.${vlanId3} up

# Default network
ifconfig br0 "${ip}" netmask 255.255.255.0
brctl addif br0 eth4.${vlanId1}
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"

# Guest network 1
brctl addbr br1
brctl addif br1 eth4.${vlanId2}
brctl addif br1 wl0.1
ip link set br1 up
nvram set lan1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set br1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set wl0.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1

# Guest network 2
brctl addbr br2
brctl addif br2 eth4.${vlanId3}
brctl addif br2 wl0.2
ip link set br2 up
nvram set lan2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set br2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"
nvram set wl0.2_ap_isolate=1
wl -i wl0.2 ap_isolate 1

# Restart eapd
killall eapd
eapd

ip a

14: eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
15: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
16: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
17: eth3: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
18: eth4: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
19: dpsta: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
20: eth5: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
21: eth6: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:8c brd ff:ff:ff:ff:ff:ff
22: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.85.2/24 brd 192.168.85.255 scope global br0
       valid_lft forever preferred_lft forever
23: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br1 state UNKNOWN group default qlen 1000
    link/ether f0:2f:74:6e:94:89 brd ff:ff:ff:ff:ff:ff
24: wl0.2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br2 state UNKNOWN group default qlen 1000
    link/ether f0:2f:74:6e:94:8a brd ff:ff:ff:ff:ff:ff
25: eth4.1@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
26: eth4.30@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br1 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
27: eth4.20@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br2 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
28: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
29: br2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff

Thanks @Jimmy-Z @Knud3 @demarey-baker !

I went with something a little different to also handle wireless restarts.

I run my RT-AX88U router in Access Point mode, with an OPNsense box upstream. Wanted to segregate the wireless networks into their own vlans.

# Physical setup

Internet
    |
    '-- OPNsense
            |
            |-- Switch 1
            |-- Switch 2
            '-- RT-AX88U

Scripts

Helper functions

/jffs/scripts/source/helpers.sh

#!/bin/sh

# Modes
# https://github.com/RMerl/asuswrt-merlin.ng/blob/76a3dabaf1d150c40a0ff369b4974e907d1faffb/release/src/router/shared/rtstate.h#L6
# https://github.com/RMerl/asuswrt-merlin.ng/blob/76a3dabaf1d150c40a0ff369b4974e907d1faffb/release/src/router/shared/rtstate.c#L85
fn_isAccessPointMode() {
  if [[ $(nvram get sw_mode) == 3 && $(nvram get wlc_psta) == 0 ]];then
    return 0
  else
    return 1
  fi
}

fn_isRouterMode() {
  if [ $(nvram get sw_mode) == 1 ];then
    return 0
  else
    return 1
  fi
}

# arg1: tag (optional)
# arg2: message
fn_logD() {
  if [ "$2" == "" ]; then
    logger -p debug $1
  else
    logger -p debug -t $1 $2
  fi
}

# arg1: tag
fn_flushEbTables() {
  fn_logD $1 "Flushing ebtables"

  ebtables -F
}

# arg1: tag
fn_restartEapd() {
  fn_logD $1 "Restarting eapd"

  killall eapd
  eapd
}

# arg1: tag
fn_restartWebGUI() {
  fn_logD $1 "Restarting Web GUI"

  service restart_httpd
}

VLAN setup

/jffs/scripts/source/setup_ap_vlans.sh

#!/bin/sh

# Options:
#     "services_start"
#     "restart_wireless"
#
###################################################################
#
# Asus RT-AX88U (Access Point Mode)
#
# Before executing, set the following from the Web GUI:
#
#  1. Category "Wireless"
#    - Tab "Wireless MAC Filter"
#      - (Band)                         2.4 GHz
#        (Enable MAC Filter)            no
#      - (Band)                         5 GHz
#        (Enable MAC Filter)            no
#    - This is delegated to the upstream router and will
#      prevent being locked out.
#
#  2. Category "LAN"
#    - Tab "LAN IP"
#      - (Get LAN IP Automatically?)    no
#        (IP Address)                   your static IP
#        (Subnet Mask)                  255.255.255.0
#        (Default Gateway)              your default gateway
#    - Example
#      - (Get LAN IP Automatically?)    no
#        (IP Address)                   172.16.10.2   
#        (Subnet Mask)                  255.255.255.0
#        (Default Gateway)              172.16.10.1         
#    - This should match whatever is set upstream on vlan 10
#
#  3. Category "Administration"
#    - Tab "System"
#      - Ensure Access Restriction List is set properly or disabled
#    - Tab "Operation Mode"
#      - Set to "Access Point(AP) mode"
#
#### $ brctl show #### (before configuration) #####################
# 
# bridge name	 bridge id		 STP enabled	 interfaces
# br0		 8000.a036bcb34a28	 no		 eth0
#							 eth1
#							 eth2
#							 eth3
#							 eth4
#							 eth5
#							 eth6
#							 eth7
#							 wl0.1
#							 wl0.2
#							 wl0.3
#							 wl1.1
#							 wl1.2
#							 wl1.3
#
#### Info #########################################################
#
# eth0		WAN
#
# eth1		Physical port 4
# eth2		Physical port 3
# eth3		Physical port 2
# eth4		Physical port 1
# eth5		Physical ports 5-8
# eth6		2.4GHz LAN
# eth7		5.0GHz LAN
#
# wl0.1		2.4GHz guest1
# wl0.2		2.4GHz guest2
# wl0.3		2.4GHz guest3
#
# wl1.1		5.0GHz guest1
# wl1.2		5.0GHz guest2
# wl1.3		5.0GHz guest3
#
#### Shooting For #################################################
#
# VLAN10 (Tag - 10) [ LAN ]
#	br0		eth5	Physical ports 5-8
#			eth6	2.4GHz LAN
#			eth7	5.0GHz LAN
#
# VLAN20 (Tag - 20) [ Guest ]
#	br1		wl0.1	2.4GHz guest1
#			wl1.1	5.0GHz guest1
#
# VLAN30 (Tag - 30) [ Share ]
#	br2		eth4	Physical port 1
#			wl1.2	5.0GHz guest2
#
# VLAN40 (Tag - 40) [ Cameras ]
#	br3		eth3	Physical port 2
#			wl0.2	2.4GHz guest2
#
# VLAN50 (Tag - 50) [ IoT ]
#       br4		wl0.3   2.4GHz guest3
#
# VLAN60 (Tag - 60) [ Work ]
#	br5		eth2	Physical port 3
#			eth1    Physical port 4
#                       wl1.3   5.0GHz guest3
#
#### $ brctl show #### (after configuration) #####################
#
# bridge name	bridge id		STP enabled	interfaces
# br0		8000.a036bcb34a28	no		eth0.10
#							eth5
#							eth6
#							eth7
# br1		8000.a036bcb34a28	no		eth0.20
#							wl0.1
#							wl1.1
# br2		8000.a036bcb34a28	no		eth0.30
#							eth4
#							wl1.2
# br3		8000.a036bcb34a28	no		eth0.40
#							eth3
#							wl0.2
# br4		8000.a036bcb34a28	no		eth0.50
#							wl0.3
# br5		8000.a036bcb34a28	no		eth0.60
#							eth1
#							eth2
#							wl1.3
#
###################################################################

source /jffs/scripts/source/helpers.sh

fn_removeEthernetFromBr0() {
  brctl delif br0 eth0
  brctl delif br0 eth1
  brctl delif br0 eth2
  brctl delif br0 eth3
  brctl delif br0 eth4
#  brctl delif br0 eth5
}

fn_removeWirelessFromBr0() {
#  brctl delif br0 eth6
#  brctl delif br0 eth7
  brctl delif br0 wl0.1
  brctl delif br0 wl0.2
  brctl delif br0 wl0.3
  brctl delif br0 wl1.1
  brctl delif br0 wl1.2
  brctl delif br0 wl1.3
}

fn_createVlans() {
  ip link add link eth0 name eth0.10 type vlan id 10
  ip link add link eth0 name eth0.20 type vlan id 20
  ip link add link eth0 name eth0.30 type vlan id 30
  ip link add link eth0 name eth0.40 type vlan id 40
  ip link add link eth0 name eth0.50 type vlan id 50
  ip link add link eth0 name eth0.60 type vlan id 60
}

fn_upVlans() {
  ip link set eth0.10 up
  ip link set eth0.20 up
  ip link set eth0.30 up
  ip link set eth0.40 up
  ip link set eth0.50 up
  ip link set eth0.60 up
}

fn_createBridges() {
#  brctl addbr br0
  brctl addbr br1
  brctl addbr br2
  brctl addbr br3
  brctl addbr br4
  brctl addbr br5
}

fn_assignEthernetToBridges() {
  brctl addif br0 eth0.10

  brctl addif br1 eth0.20

  brctl addif br2 eth0.30
  brctl addif br2 eth4

  brctl addif br3 eth0.40
  brctl addif br3 eth3

  brctl addif br4 eth0.50

  brctl addif br5 eth0.60
  brctl addif br5 eth2
  brctl addif br5 eth1
}

fn_assignWirelessToBridges() {
#  brctl addif br0 eth6
#  brctl addif br0 eth7

  brctl addif br1 wl0.1
  brctl addif br1 wl1.1

  brctl addif br2 wl1.2

  brctl addif br3 wl0.2

  brctl addif br4 wl0.3

  brctl addif br5 wl1.3
}

fn_upBridges() {
#  ip link set br0 up
  ip link set br1 up
  ip link set br2 up
  ip link set br3 up
  ip link set br4 up
  ip link set br5 up
}

fn_setNvramBr0() {
#  nvram set br0_ifname="br0"
#  nvram set lan_ifname="br0"
  nvram set br0_ifnames="eth5 eth6 eth7 eth0.10"
  nvram set lan_ifnames="eth5 eth6 eth7 eth0.10"
}

fn_setNvramBr1() {
  nvram set br1_ifname="br1"
  nvram set lan1_ifname="br1"
  nvram set br1_ifnames="wl0.1 wl1.1 eth0.20"
  nvram set lan1_ifnames="wl0.1 wl1.1 eth0.20"
}

fn_setNvramBr2() {
  nvram set br2_ifname="br2"
  nvram set lan2_ifname="br2"
  nvram set br2_ifnames="eth4 wl1.2 eth0.30"
  nvram set lan2_ifnames="eth4 wl1.2 eth0.30"
}

fn_setNvramBr3() {
  nvram set br3_ifname="br3"
  nvram set lan3_ifname="br3"
  nvram set br3_ifnames="eth3 wl0.2 eth0.40"
  nvram set lan3_ifnames="eth3 wl0.2 eth0.40"
}

fn_setNvramBr4() {
  nvram set br4_ifname="br4"
  nvram set lan4_ifname="br4"
  nvram set br4_ifnames="wl0.3 eth0.50"
  nvram set lan4_ifnames="wl0.3 eth0.50"
}

fn_setNvramBr5() {
  nvram set br5_ifname="br5"
  nvram set lan5_ifname="br5"
  nvram set br5_ifnames="eth2 eth1 wl1.3 eth0.60"
  nvram set lan5_ifnames="eth2 eth1 wl1.3 eth0.60"
}

case $1 in

  # Run from services-start script
  "services_start")
    fn_logD "setup_ap_vlans.sh" "Configuring vlans for AP Mode"

    fn_removeEthernetFromBr0
    fn_removeWirelessFromBr0
    fn_createVlans
    fn_upVlans
    fn_createBridges
    fn_assignEthernetToBridges
    fn_assignWirelessToBridges
    fn_upBridges
    fn_setNvramBr0
    fn_setNvramBr1
    fn_setNvramBr2
    fn_setNvramBr3
    fn_setNvramBr4
    fn_setNvramBr5

    # Restart eapd handled separately
    # Flush ebtables handled separately
    # Restart Web GUI handled separately
    ;;

  # Run from service-event-end script
  "restart_wireless")
    fn_logD "setup_ap_vlans.sh" "Reconfiguring wireless interfaces"

    # Needs a moment to settle before executing things
    sleep 1

    fn_removeWirelessFromBr0
    fn_assignWirelessToBridges
    fn_setNvramBr0

    # Restart eapd handled separately
    # Flush ebtables handled separately
    ;;
esac

services-start

/jffs/scripts/services-start

#!/bin/sh

source /jffs/scripts/source/helpers.sh

if fn_isAccessPointMode; then
  /jffs/scripts/source/setup_ap_vlans.sh "services_start"
  fn_restartEapd "services-start"
  fn_flushEbTables "services-start"
  fn_restartWebGUI "services-start"
fi

service-event-end

/jffs/scripts/service-event-end

#!/bin/sh

source /jffs/scripts/source/helpers.sh

case $1 in
  "restart")
    case $2 in
      "wireless")
        if fn_isAccessPointMode; then
          /jffs/scripts/source/setup_ap_vlans.sh "restart_wireless"
          fn_restartEapd "service-event-end"
        fi
        ;;

      "firewall")
        if fn_isAccessPointMode; then
          fn_flushEbTables "service-event-end"
        fi
        ;;

    esac
    ;;

esac

The restart_wireless Issue

Initially, any restart_wireless event was:

• Reassigning all wireless interfaces back to br0

  # $ brctl show
  
  bridge name	bridge id		STP enabled	interfaces
  br0		8000.a036bcb34a28	no		eth0.10
  							eth5
  							eth6
  							eth7
  							wl0.1
  							wl0.2
  							wl0.3
  							wl1.1
  							wl1.2
  							wl1.3
  br1		8000.a036bcb34a28	no		eth0.20
  br2		8000.a036bcb34a28	no		eth0.30
  							eth4
  br3		8000.a036bcb34a28	no		eth0.40
  							eth3
  br4		8000.a036bcb34a28	no		eth0.50
  br5		8000.a036bcb34a28	no		eth0.60
  							eth1
  							eth2
  

• Resetting nvram for the following, to:
  • lan_ifnames=eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7 wl0.1 wl0.2 wl0.3 wl1.1 wl1.2 wl1.3
  • br0_ifnames=eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7 wl0.1 wl0.2 wl0.3 wl1.1 wl1.2 wl1.3

So intercepting it from the service-event-end script and reassigning wireless interfaces back to their original bridges fixed it. No more need to reboot after modifying something now.

Hope it helps!

This thread was all very helpful in figuring this out. I'm on an AX-58U. For some reason, all the wifi connections (guest networks and eth5-6) work without issue. Even though I have eth0-3 configured the exact same way and on the same vlan, they are only able to reach the AX-58U and other devices connected directly to it. Wifi devices can ping the gateway, reach the internet and opnnsense settings no problem. I've been trying things for a couple days now. I'd love any help. Thanks in advance

Script:

#!/bin/sh

ip="192.168.85.2"
vlanId1=1 # Default network VLAN ID
vlanId2=30 # Guest network 1 VLAN ID
vlanId3=20 # Guest network 2 VLAN ID


# Remove default configs
brctl delif br0 eth4
brctl delif br0 wl0.1
brctl delif br0 wl0.2

# Add VLANs
ip link add link eth4 name eth4.${vlanId1} type vlan id ${vlanId1}
ip link add link eth4 name eth4.${vlanId2} type vlan id ${vlanId2}
ip link add link eth4 name eth4.${vlanId3} type vlan id ${vlanId3}
ip link set eth4.${vlanId1} up
ip link set eth4.${vlanId2} up
ip link set eth4.${vlanId3} up

# Default network
ifconfig br0 "${ip}" netmask 255.255.255.0
brctl addif br0 eth4.${vlanId1}
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"

# Guest network 1
brctl addbr br1
brctl addif br1 eth4.${vlanId2}
brctl addif br1 wl0.1
ip link set br1 up
nvram set lan1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set br1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set wl0.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1

# Guest network 2
brctl addbr br2
brctl addif br2 eth4.${vlanId3}
brctl addif br2 wl0.2
ip link set br2 up
nvram set lan2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set br2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"
nvram set wl0.2_ap_isolate=1
wl -i wl0.2 ap_isolate 1

# Restart eapd
killall eapd
eapd

ip a

14: eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
15: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
16: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
17: eth3: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
18: eth4: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
19: dpsta: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
20: eth5: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
21: eth6: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:8c brd ff:ff:ff:ff:ff:ff
22: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.85.2/24 brd 192.168.85.255 scope global br0
       valid_lft forever preferred_lft forever
23: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br1 state UNKNOWN group default qlen 1000
    link/ether f0:2f:74:6e:94:89 brd ff:ff:ff:ff:ff:ff
24: wl0.2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br2 state UNKNOWN group default qlen 1000
    link/ether f0:2f:74:6e:94:8a brd ff:ff:ff:ff:ff:ff
25: eth4.1@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
26: eth4.30@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br1 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
27: eth4.20@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br2 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
28: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
29: br2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff

Eth4 is physically LAN or WAN?

I run my RT-AX88U router in Access Point mode, with an OPNsense box upstream. Wanted to segregate the wireless networks into their own vlans.

@05nelsonm
Could you please help me with a modified script? 🙏🏼
My setup is the same as yours... Internet -> OPNsense -> RTAX88U

I am looking for the following VLAN tagging on my AX88U, running latest Merlin software.

#
# VLAN10 (Tag - 10) [ LAN ]
#	br0	eth4		Physical ports 1
#		eth3		Physical ports 2
#		eth2		Physical ports 3
#		eth1		Physical ports 4
#		eth5		Physical ports 5-8
#		eth6		2.4GHz LAN
#		eth7		5.0GHz LAN
#
# VLAN60 (Tag - 60) [ Guest ]
#	br1	wl0.2		2.4GHz guest2
#
# All other guest wifi radios disabled

Requests:

1. Could you please help out with the scripts that work for my setup?

2. I am also running an additional AX56U (which acts as a Mesh node to the master AX88U). Would I need to change anything in the AX56U or would it just keep acting as a mesh node and use the same VLANs automatically?

Has anyone else had an issue attaching the
Asus AP LAN ports to the VLANS ?
Clients on wl interfaces come up with the correct VLAN subnet. However anything connected to the LAN ports cannot get an IP address no matter which VLAN I configure the port under. I am using an ax58 connected to a tp link managed switch.

Everything else works. Including GUI access but non of the LAN ports come up.
Any insight is appreciated

Has anyone else had an issue attaching the Asus AP LAN ports to the VLANS ? Clients on wl interfaces come up with the correct VLAN subnet. However anything connected to the LAN ports cannot get an IP address no matter which VLAN I configure the port under. I am using an ax58 connected to a tp link managed switch.

Everything else works. Including GUI access but non of the LAN ports come up. Any insight is appreciated

Here is my bridge setup
bridge name bridge id STP enabled interfaces
br0 8000.d45d649a43e0 yes eth1
eth2
eth3
eth4.80
eth5
eth6
br1 8000.d45d649a43e0 yes eth0
eth4.60
wl0.1
wl1.1
br2 8000.d45d649a43e0 yes eth4.70
wl0.2
wl1.2

This thread was all very helpful in figuring this out. I'm on an AX-58U. For some reason, all the wifi connections (guest networks and eth5-6) work without issue. Even though I have eth0-3 configured the exact same way and on the same vlan, they are only able to reach the AX-58U and other devices connected directly to it. Wifi devices can ping the gateway, reach the internet and opnnsense settings no problem. I've been trying things for a couple days now. I'd love any help. Thanks in advance

Script:

#!/bin/sh

ip="192.168.85.2"
vlanId1=1 # Default network VLAN ID
vlanId2=30 # Guest network 1 VLAN ID
vlanId3=20 # Guest network 2 VLAN ID


# Remove default configs
brctl delif br0 eth4
brctl delif br0 wl0.1
brctl delif br0 wl0.2

# Add VLANs
ip link add link eth4 name eth4.${vlanId1} type vlan id ${vlanId1}
ip link add link eth4 name eth4.${vlanId2} type vlan id ${vlanId2}
ip link add link eth4 name eth4.${vlanId3} type vlan id ${vlanId3}
ip link set eth4.${vlanId1} up
ip link set eth4.${vlanId2} up
ip link set eth4.${vlanId3} up

# Default network
ifconfig br0 "${ip}" netmask 255.255.255.0
brctl addif br0 eth4.${vlanId1}
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"

# Guest network 1
brctl addbr br1
brctl addif br1 eth4.${vlanId2}
brctl addif br1 wl0.1
ip link set br1 up
nvram set lan1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set br1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set wl0.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1

# Guest network 2
brctl addbr br2
brctl addif br2 eth4.${vlanId3}
brctl addif br2 wl0.2
ip link set br2 up
nvram set lan2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set br2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"
nvram set wl0.2_ap_isolate=1
wl -i wl0.2 ap_isolate 1

# Restart eapd
killall eapd
eapd

ip a

14: eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
15: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
16: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
17: eth3: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
18: eth4: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
19: dpsta: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
20: eth5: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
21: eth6: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:8c brd ff:ff:ff:ff:ff:ff
22: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.85.2/24 brd 192.168.85.255 scope global br0
       valid_lft forever preferred_lft forever
23: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br1 state UNKNOWN group default qlen 1000
    link/ether f0:2f:74:6e:94:89 brd ff:ff:ff:ff:ff:ff
24: wl0.2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br2 state UNKNOWN group default qlen 1000
    link/ether f0:2f:74:6e:94:8a brd ff:ff:ff:ff:ff:ff
25: eth4.1@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
26: eth4.30@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br1 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
27: eth4.20@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br2 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
28: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
29: br2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff

Did you ever figure out why lan ports are not running? I have the same issue

Are you sure the VLAN is configured correctly in the Netgear Switch? I have that same switch and it took me a while to understand how the VLAN works. If I didn't have another switch lying around I would have thought it was something else. Tell me how you configured the VLAN on the Netgear switch. For this to work you need to pass through all of the VLANs to the ASUS router and then it will then route it out correctly.

…

On Mon, Feb 6, 2023 at 4:24 AM Harshpreet Singh ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Thanks alot @Jimmy-Z <https://github.com/Jimmy-Z> and @Knud3 <https://github.com/Knud3> . I made this work on AX88U. My setup is PFsense + managed switch and 3 VLAN. Here is the modified script. Just the ports are a little different but everything is the same. #ip="10.27.27.8" # Default network static IP vlanId1=50 # Default network VLAN ID vlanId2=60 # Guest network 1 VLAN ID vlanId3=70 # Guest network 2 VLAN ID script="/jffs/scripts/services-start" tee "${script}" > /dev/null << EOF #!/bin/sh # Ports in RT-AX88U: # Physical port to interface map: # eth0 WAN # eth1 LAN 4 # eth2 LAN 3 # eth3 LAN 2 # eth4 LAN 1 # eth5 Bridge of LAN 5, LAN 6, LAN 7, LAN 8 # eth6 2.4 GHz Radio # eth7 5 GHz Radio # wl0.1 = Guest 1 # wl0.2 = Guest 2 # Tagged to WAN port (eth0): # Default network: br0, vlan id ${vlanId1} # Guest network 1: br1, vlan id ${vlanId2} # Guest network 2: br2, vlan id ${vlanId3} # Remove default configs brctl delif br0 eth0 brctl delif br0 wl0.1 brctl delif br0 wl1.1 # Add VLANs ip link add link eth0 name eth0.${vlanId1} type vlan id ${vlanId1} ip link add link eth0 name eth0.${vlanId2} type vlan id ${vlanId2} ip link add link eth0 name eth0.${vlanId3} type vlan id ${vlanId3} ip link set eth0.${vlanId1} up ip link set eth0.${vlanId2} up ip link set eth0.${vlanId3} up # Default network #ifconfig br0 "${ip}" netmask 255.255.255.0 brctl addif br0 eth0.${vlanId1} nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth0.${vlanId1}" nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth0.${vlanId1}" # Guest network 1 brctl addbr br1 brctl addif br1 eth0.${vlanId2} brctl addif br1 wl0.1 ip link set br1 up nvram set lan1_ifnames="wl0.1 eth0.${vlanId2}" nvram set br1_ifnames="wl0.1 eth0.${vlanId2}" nvram set lan1_ifname="br1" nvram set br1_ifname="br1" nvram set wl0.1_ap_isolate=1 wl -i wl0.1 ap_isolate 1 # Guest network 2 brctl addbr br2 brctl addif br2 eth0.${vlanId3} brctl addif br2 wl1.1 ip link set br2 up nvram set lan2_ifnames="wl1.1 eth0.${vlanId3}" nvram set br2_ifnames="wl1.1 eth0.${vlanId3}" nvram set lan2_ifname="br2" nvram set br2_ifname="br2" nvram set wl0.2_ap_isolate=1 wl -i wl1.1 ap_isolate 1 # Restart eapd killall eapd eapd EOF chmod a+x "${script}" reboot Hi buddy. How did you manage to connect your ASUS AP to the PFsense box/via switch? I'm trying the same, I just want to VLAN my Guest Networks from ASUS AP. I've setup normal VLANS correctly with DHCP in OPNSense, and in Netgear GS308T Managed Switch I have connected my ASUS Router/AP to PORT 5. I've tagged Port 5 with VLAN 50 (only 1 vlan), but I can never achieve connectivity. Which port are you actually using from the ASUS to hookup to your switch? I've used the WAN port (eth0) to hookup to switch. It does not work for me. — Reply to this email directly, view it on GitHub <https://gist.github.com/6120988090b9696c420385e7e42c64c4#gistcomment-4461199> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHWKBERLAKTBEYYXC33BUXTWWCU2XBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TIOJQGAYTGOFHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

-- *Best Regards,* *Demarey Baker * *"Dream as you will live forever, live as you would die tomorrow."*

This thread was all very helpful in figuring this out. I'm on an AX-58U. For some reason, all the wifi connections (guest networks and eth5-6) work without issue. Even though I have eth0-3 configured the exact same way and on the same vlan, they are only able to reach the AX-58U and other devices connected directly to it. Wifi devices can ping the gateway, reach the internet and opnnsense settings no problem. I've been trying things for a couple days now. I'd love any help. Thanks in advance
Script:

#!/bin/sh

ip="192.168.85.2"
vlanId1=1 # Default network VLAN ID
vlanId2=30 # Guest network 1 VLAN ID
vlanId3=20 # Guest network 2 VLAN ID


# Remove default configs
brctl delif br0 eth4
brctl delif br0 wl0.1
brctl delif br0 wl0.2

# Add VLANs
ip link add link eth4 name eth4.${vlanId1} type vlan id ${vlanId1}
ip link add link eth4 name eth4.${vlanId2} type vlan id ${vlanId2}
ip link add link eth4 name eth4.${vlanId3} type vlan id ${vlanId3}
ip link set eth4.${vlanId1} up
ip link set eth4.${vlanId2} up
ip link set eth4.${vlanId3} up

# Default network
ifconfig br0 "${ip}" netmask 255.255.255.0
brctl addif br0 eth4.${vlanId1}
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"

# Guest network 1
brctl addbr br1
brctl addif br1 eth4.${vlanId2}
brctl addif br1 wl0.1
ip link set br1 up
nvram set lan1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set br1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set wl0.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1

# Guest network 2
brctl addbr br2
brctl addif br2 eth4.${vlanId3}
brctl addif br2 wl0.2
ip link set br2 up
nvram set lan2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set br2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"
nvram set wl0.2_ap_isolate=1
wl -i wl0.2 ap_isolate 1

# Restart eapd
killall eapd
eapd

ip a

14: eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
15: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
16: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
17: eth3: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
18: eth4: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
19: dpsta: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
20: eth5: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
21: eth6: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether f0:2f:74:6e:94:8c brd ff:ff:ff:ff:ff:ff
22: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.85.2/24 brd 192.168.85.255 scope global br0
       valid_lft forever preferred_lft forever
23: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br1 state UNKNOWN group default qlen 1000
    link/ether f0:2f:74:6e:94:89 brd ff:ff:ff:ff:ff:ff
24: wl0.2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br2 state UNKNOWN group default qlen 1000
    link/ether f0:2f:74:6e:94:8a brd ff:ff:ff:ff:ff:ff
25: eth4.1@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
26: eth4.30@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br1 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
27: eth4.20@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br2 state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
28: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff
29: br2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:2f:74:6e:94:88 brd ff:ff:ff:ff:ff:ff

Did you ever figure out why lan ports are not running? I have the same issue

In AC86U, if using another interface for trunk port (instead eth0), then you need to apply this command:

ethswctl -c hw-switching -o disable

Here is example with variables, so it is easier to adopt to different models.

Ports (example RT-AX82U)

eth0 = LAN4
eth1 = LAN3
eth2 = LAN2
eth3 = LAN1
eth4 = WAN
eth5 = 2.4 GHz
eth6 = 5 GHz
wl0.1 = Guest 1 (2.4 GHz)
wl0.2 = Guest 2 (2.4 GHz)
wl1.3 = Guest 3 (5 GHz)

Tagged to WAN port (for example)

Default network = br0, vlan id 50
Guest network 1 = br1, vlan id 60
Guest network 2 = br2, vlan id 70
Guest network 3 = br3, vlan id 20

Script

script="/jffs/scripts/services-start"
ip="10.14.15.15" # Default network static IP
taggedPort="eth4" # Tagged "WAN" port
otherPorts="eth0 eth1 eth2 eth3 eth5 eth6" # Other ports
guest1="wl0.1" # Guest network 1 interface
guest2="wl0.2" # Guest network 2 interface
guest3="wl1.3" # Guest network 3 interface
vlanId0=50 # Default network VLAN ID
vlanId1=60 # Guest network 1 VLAN ID
vlanId2=70 # Guest network 2 VLAN ID
vlanId3=20 # Guest network 3 VLAN ID

tee "${script}" > /dev/null << EOF
#!/bin/sh

# Remove seperate networks from default bridge
brctl delif br0 ${taggedPort}
brctl delif br0 ${guest1}
brctl delif br0 ${guest2}
brctl delif br0 ${guest3}

# Add VLANs
ip link add link ${taggedPort} name ${taggedPort}.${vlanId0} type vlan id ${vlanId0}
ip link add link ${taggedPort} name ${taggedPort}.${vlanId1} type vlan id ${vlanId1}
ip link add link ${taggedPort} name ${taggedPort}.${vlanId2} type vlan id ${vlanId2}
ip link add link ${taggedPort} name ${taggedPort}.${vlanId3} type vlan id ${vlanId3}
ip link set ${taggedPort}.${vlanId0} up
ip link set ${taggedPort}.${vlanId1} up
ip link set ${taggedPort}.${vlanId2} up
ip link set ${taggedPort}.${vlanId3} up

# Default network
ifconfig br0 "${ip}" netmask 255.255.255.0
brctl addif br0 ${taggedPort}.${vlanId0}
nvram set lan_ifnames="${otherPorts} ${taggedPort}.${vlanId0}"
nvram set br0_ifnames="${otherPorts} ${taggedPort}.${vlanId0}"

# Guest network 1
brctl addbr br1
brctl addif br1 ${taggedPort}.${vlanId1}
brctl addif br1 ${guest1}
ip link set br1 up
nvram set lan1_ifnames="${guest1} ${taggedPort}.${vlanId1}"
nvram set br1_ifnames="${guest1} ${taggedPort}.${vlanId1}"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set ${guest1}_ap_isolate=1
wl -i ${guest1} ap_isolate 1

# Guest network 2
brctl addbr br2
brctl addif br2 ${taggedPort}.${vlanId2}
brctl addif br2 ${guest2}
ip link set br2 up
nvram set lan2_ifnames="${guest2} ${taggedPort}.${vlanId2}"
nvram set br2_ifnames="${guest2} ${taggedPort}.${vlanId2}"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"
nvram set ${guest2}_ap_isolate=1
wl -i ${guest2} ap_isolate 1

# Guest network 3
brctl addbr br3
brctl addif br3 ${taggedPort}.${vlanId3}
brctl addif br3 ${guest3}
ip link set br3 up
nvram set lan3_ifnames="${guest3} ${taggedPort}.${vlanId3}"
nvram set br3_ifnames="${guest3} ${taggedPort}.${vlanId3}"
nvram set lan3_ifname="br3"
nvram set br3_ifname="br3"
nvram set ${guest3}_ap_isolate=1
wl -i ${guest3} ap_isolate 1

# Restart eapd
killall eapd
eapd
EOF

chmod a+x "${script}"
reboot

Here is a working version for me. Router RT-AX86u

#### Info #########################################################
#                             RT-AX86u
#
# eth0		Physical port WAN
# eth1		Physical port 4
# eth2		Physical port 3
# eth3		Physical port 2
# eth4		Physical port 1
# eth5		Physical port 2.5Gbe
#
# eth6		WiFi 2.4GHz 
# eth7		WiFi 5.0GHz 
#
# wl0.1		WiFi 2.4GHz guest1
# wl0.2		WiFi 2.4GHz guest2
# wl0.3		WiFi 2.4GHz guest3
#
# wl1.1		WiFi 5.0GHz guest1
# wl1.2		WiFi 5.0GHz guest2
# wl1.3		WiFi 5.0GHz guest3
###################################################################

#### Edit #########################################################
script="/jffs/scripts/services-start"
ip="192.168.1.100" # Default network static IP
vlanId0=10 # Default network VLAN ID
vlanId1=20 # Guest network 1 VLAN ID
vlanId2=30 # Guest network 2 VLAN ID
vlanId3=40 # Guest network 3 VLAN ID
taggedPort="eth5" # Tagged port
otherPorts="eth0 eth1 eth2 eth3 eth4 eth6 eth7" # Default network interface
guest1="wl0.1 wl1.1" # Guest network 1 interface
guest2="wl0.2 wl1.2" # Guest network 2 interface
guest3="wl0.3 wl1.3" # Guest network 3 interface
###################################################################


tee "${script}" > /dev/null << EOF
#!/bin/sh

# Fix physical ports not working
ethswctl -c hw-switching -o disable

# Remove seperate networks from default bridge
brctl delif br0 ${taggedPort}
brctl delif br0 ${guest1}
brctl delif br0 ${guest2}
brctl delif br0 ${guest3}

# Add VLANs
ip link add link ${taggedPort} name ${taggedPort}.${vlanId0} type vlan id ${vlanId0}
ip link add link ${taggedPort} name ${taggedPort}.${vlanId1} type vlan id ${vlanId1}
ip link add link ${taggedPort} name ${taggedPort}.${vlanId2} type vlan id ${vlanId2}
ip link add link ${taggedPort} name ${taggedPort}.${vlanId3} type vlan id ${vlanId3}
ip link set ${taggedPort}.${vlanId0} up
ip link set ${taggedPort}.${vlanId1} up
ip link set ${taggedPort}.${vlanId2} up
ip link set ${taggedPort}.${vlanId3} up

# Default network
ifconfig br0 "${ip}" netmask 255.255.255.0
brctl addif br0 ${taggedPort}.${vlanId0}
nvram set lan_ifnames="${otherPorts} ${taggedPort}.${vlanId0}"
nvram set br0_ifnames="${otherPorts} ${taggedPort}.${vlanId0}"

# Guest network 1
brctl addbr br1
brctl addif br1 ${taggedPort}.${vlanId1}
brctl addif br1 ${guest1}
ip link set br1 up
nvram set lan1_ifnames="${guest1} ${taggedPort}.${vlanId1}"
nvram set br1_ifnames="${guest1} ${taggedPort}.${vlanId1}"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set ${guest1}_ap_isolate=1
wl -i ${guest1} ap_isolate 1

# Guest network 2
brctl addbr br2
brctl addif br2 ${taggedPort}.${vlanId2}
brctl addif br2 ${guest2}
ip link set br2 up
nvram set lan2_ifnames="${guest2} ${taggedPort}.${vlanId2}"
nvram set br2_ifnames="${guest2} ${taggedPort}.${vlanId2}"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"
nvram set ${guest2}_ap_isolate=1
wl -i ${guest2} ap_isolate 1

# Guest network 3
brctl addbr br3
brctl addif br3 ${taggedPort}.${vlanId3}
brctl addif br3 ${guest3}
ip link set br3 up
nvram set lan3_ifnames="${guest3} ${taggedPort}.${vlanId3}"
nvram set br3_ifnames="${guest3} ${taggedPort}.${vlanId3}"
nvram set lan3_ifname="br3"
nvram set br3_ifname="br3"
nvram set ${guest3}_ap_isolate=1
wl -i ${guest3} ap_isolate 1

# Restart eapd
killall eapd
eapd
EOF

chmod a+x "${script}"
reboot

So I have an AC86U and AX86S on the same network connected with a TPLink switch. I setup vlan ID 227 and 11 on the AC86U and then tagged ports 1-8 on the switch for 227 and untagged 11 on port 4. Do I need to also setup VLAN 227 on the AX86U and just not setup ID 11?

I have 1x AC86 (main AP) and 2x AC68 (nodes, wired backhaul).
Does AiMesh still work?
Do I have to enable this script on the three AP's or only one the main AP (AC86)?

I have 1x AC86 (main AP) and 2x AC68 (nodes, wired backhaul).
Does AiMesh still work?
Do I have to enable this script on the three AP's or only one the main AP (AC86)?

I too have the same question. Does the script need to be run on each router (customised for each) or just on the main AP?
I have AX88U as the AP and AX56U as a AiMesh node.

Hello,
I have the same MESH Qs. How can I get this nice VLAN script to work within wired-connected ASUS MESH routers?

bump - I have a successful AP VLAN setup with AX88U and AX3000 not in mesh mode. I currently have simple Guest 1 as VLAN 10 and Guest 2 as VLAN 20. If I were to put APs in mesh mode with wired backhaul what would the default traffic look like? Also while I am writting does anyone have a location where I can find a list of NVRAM variables. I notieced I have a some that I am curious about i.e. wl_vif*; wl0.4_ifname, etc.

ASUS router with Asuswrt-Merlin in AP mode and VLAN configured in services-start.sh script can be connected directly to pfSense without managed switch and will work as configured?

ASUS router with Asuswrt-Merlin in AP mode and VLAN configured in services-start.sh script can be connected directly to pfSense without managed switch and will work as configured?

For these purposes, it would be better to use something in openwrt, but yes, it will work that way.