multi SSID with VLAN script, for ASUS AC86U with merlin

services-start.sh

#!/bin/sh

# multi SSID with VLAN script, for ASUS AC86U with merlin
#
# setup before hand:
#       set "router" to "AP Mode"
#               this will put all ports and wireless in br0
#       create 2 guest network
#       enable Administration => System => Enable JFFS custom scripts and configs
#       put this script in /jffs/scripts/, name should be "services-start"
#               remember `chmod a+x services-start`
#       I strongly suggest you use static IP instead of DHCP
#               In my test, the "router" will pickup DHCP lease from VLAN 1 instead of VLAN 227
#       reboot
# some basic info of the original AP mode:
#       eth0 => WAN port
#       eth1~4 => LAN port 4~1, they're reversed
#       eth5 => WiFi 2.4G
#       eth6 => WiFi 5G
#       wl0.1, wl0.2 => WiFi 2.4G guest networks
# this setup:
#       WAN port (eth0) will be repurposed as a tagged port
#       LAN ports (eth1~4) and primary WiFi (eth5,6) will be on VLAN 227
#       guest network 1 will be on VLAN 11
#       guest network 2 will be on VLAN 12

#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log

# echo $PATH > /tmp/script_debug

# remove eth0 which will be reconfigured as a tagged port
brctl delif br0 eth0
# remove interfaces we're gonna move to other bridges
brctl delif br0 wl0.1
brctl delif br0 wl0.2

# add vlans
# interestingly, depending on the time passed since system boot,
# vlan interfaces will be named eth0.1 or vlan1, I guess some udev rules got loaded.
# so we use ip link instead of vconfig to specify a name explicitly.
ip link add link eth0 name eth0.227 type vlan id 227
ip link add link eth0 name eth0.11 type vlan id 11
ip link add link eth0 name eth0.12 type vlan id 12
ip link set eth0.227 up
ip link set eth0.11 up
ip link set eth0.12 up

# reconfigure br0, private LAN
brctl addif br0 eth0.227

# set up br1, guest LAN
brctl addbr br1
brctl addif br1 eth0.11
brctl addif br1 wl0.1
ip link set br1 up

# set up br2, another guest LAN for IoT devices
brctl addbr br2
brctl addif br2 eth0.12
brctl addif br2 wl0.2
ip link set br2 up

# seems like eapd reads config from these
# no need to set lan_ifname since it's already there
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"

nvram set lan1_ifnames="wl0.1 eth0.11"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="wl0.2 eth0.12"
nvram set lan2_ifname="br2"

# doesn't seem to affect anything, just make it align
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"

nvram set br1_ifnames="wl0.1 eth0.11"
nvram set br1_ifname="br1"

nvram set br2_ifnames="wl0.2 eth0.12"
nvram set br2_ifname="br2"

# we do NOT issue `nvram commit` here since it won't survive reboot anyway

# is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

#echo "============== START 2 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 2 $(date) ==================" >> /jffs/scripts/log

Yeah you can't get it to work so I must have posted something I didn't test, sounds reasonable.

Yeah you can't get it to work so I must have posted something I didn't test, sounds reasonable.

I’m sorry! Not my intention.....
I have tested it for eth2, it start sending packets and suddenly stop, I could not figure out why. I found you proposed for eth0, maybe there is some difference using this interface. Do you know?

That, I didn't test, I can confirm the original script worked as is, past tense as I don't have that setup anymore, so I'm sorry I can't test that for you.

Thanks for feedback and support, I will perform some additional tests.

Brilliant writeup.

Three quick questions (if I may):

1. If I need to enable intraSSID security or AP Isolated mode, to prevent devices on same SSID talking to each other, how do I configure that?
2. Can the names of the SSIDs be configured/customized?
3. Can I run the management VLAN as untagged? (Which I assume will be by removing the lines that configure eth0.227, and VLAN 227)

1. I guess it should work just as before, I have never used that feature though.
2. Of course.
3. It should work, but again I have not tested that.

Thanks Jimmy. I will give it a shot on my AC66U today and get back to this thread with feedback.

Ok, so some trouble in paradise. Seems like I don't have 'add' option under 'ip link'.

Anyway around this?

ERROR: Command "add" is unknown, try "ip link help"

I suppose ac66u doesn't come with that then.

ASUS ac66u_b1 switch hardware model is different with ac86U，I forked your script and support ac66u_b1 on merlin now. Thanks.

@Jimmy-Z can I use this approach to setup ISP provided VLANs trunk (they trunk Internet and IPTV) as passthrough at one of the points, instead of the forced split to ports 3 & 4 AsusWRT defaults to? I'd love to avoid having to buy a new managed switch just to re-trunk it all (since I need both VLANS at one port due to limited cabling).

@tubaxiaosiji Nice work, hope @TheEngineerGuy could see that.

@tjukic It should work, just setup another port as trunk.

@tubaxiaosiji Nice work, hope @TheEngineerGuy could see that.

@tjukic It should work, just setup another port as trunk.

I had solved it after our conversation last month, ended up using vconfig for my purposes. But I ran across two challenges, which are ASUS centric, and can't be solved (to my understanding), so I dropped the idea of using this router as my AP, and got a Cisco AP instead.

1. Unable to Run 'Smart connect' on guest SSIDs
2. Unable to apply 'AP Isolated mode' across two frequencies, which means that if one device connects to 2GHz and other connects to 5GHz on same SSIDs, they can speak to each other even with 'AP Isolated mode' enabled.

On Cisco, this was quite easy to fix.
-Enabled smart connect across all SSIDs, one command to do it.
-And for AP Isolated, I just added both 2GHz and 5GHz VLAN sub-interfaces for that SSID to the same bridge port group, and enabled protection on the bridge port group.

Viola, devices for that SSID now can connect to 5GHz or 2.4GHz using smart connect, and can't communicate to each other, no matter which frequency they are on.

If anyone has a way of doing this on Asus, please let me know.

I've got a REALLY simple bridge -

br1             8000.244bfe0a08c9       yes             bond0.12
                                                        wl0.1

I'm able to ping my DHCP server from my router -

me@RT-AX88U-08C8:/jffs# ping 10.250.99.3 -I br1
PING 10.250.99.3 (10.250.99.3): 56 data bytes
64 bytes from 10.250.99.3: seq=0 ttl=64 time=0.818 ms
64 bytes from 10.250.99.3: seq=1 ttl=64 time=0.698 ms
^C
--- 10.250.99.3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.698/0.758/0.818 ms

me@RT-AX88U-08C8:/jffs#

I see traffic come in the wl0.1 interface -

23:51:35.011103 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from my:ph:0n:3f:00:b4 (oui Unknown), length 286
23:51:36.944442 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from my:ph:0n:3f:00:b4 (oui Unknown), length 286

but I do not see that traffic exit my bond0.12 interface. Anyone have any insight into what the hell is going on here? I've been pulling my hair out for two days trying to get this to work.

Edit: Found it - ebtables - didn't know that was a thing. Once I cleared out those blocks all was well.

Thanks Jimmy, great work...how would i go about having 86u as a AP with vlan ssids segregating those ssid vlans to a pfsense\opnsense ??

It should work, but official firmware doesn't support JFFS custom scripts IIRC, you'll need a usb drive to run this at start.

Please help me run this script on official firmware. Thanks.

@Jimmy-Z Thanks for the script! I seem to have two issues

• On first boot, wired, I get handed the DHCP address from my router, not the VLAN and I can access the AP (rt-ac86u) just fine, but I cannot access my firewall device (pfsense)
• If I disconnect the cable and reconnect I get the correct VLAN address (227). However now I can't access the AP, but I can access my firewall.
• All of the guest wireless work fine and map to the correct VLAN, however even though they are given full access (for the moment) they also cannot see the AP either, but have no issue seeing the firewall.
• The main SSID maps to the correct VLAN 227, but same problem firewall access, but no AP.

Normal non-jffs scripted configuration works fine, obvious no VLAN tagging, but I cannot figure out what would create this scenario. This is also in a lab environment where my firewall is pulling a private IP, while I sort this out, but that hasn't created issues in the past with device that say support VLAN tagging out of the gate.

Curious if this rings any bells for how something could be misconfigured. Thanks!

To get this work on the RT-AC3100, I had to add some robocfg commands at then end. I didn't check what parts of the script are necessary for the RT-AC3100, so I just added it to the end of the script before the eapd restart. Also on RT-AC3100, eth1 and eth2 are the wifi interfaces.

# using VLAN 10, 4 is the WAN port
robocfg vlan 10 ports "4t 8t"
nvram set vlan10ports="4t 8t"

Also, for anyone wondering how to get the script to run on reboot using a USB stick and stock firmware

1. ssh into the router
2. copy script to jffs folder (for example I named it setup_vlans.sh)
3. make script executable: chmod +x setup_vlans.sh
4. set nvram variable to run script on startup: nvram set script_usbmount="/jffs/setup_vlans.sh"
5. nvram commit
6. Plug in USB drive and leave in router
7. (Optional) Make a backup of the script on the usb drive so you don't lose it if you have reset your router: mkdir -p /tmp/USB; mount /dev/sda /tmp/USB; cp /jffs/setup_vlans.sh /tmp/USB/; umount /tmp/USB

@LeeGDavis I'd be glad to help but I didn't have your problem during the period that I was using this solution, and as I said before, I don't have this setup anymore.

@jrnewell and everyone, I'd recommend only using this script (and adapt to your situation of course) if you can understand what every command does, this gist serves more like a note instead of a take and go solution.

Fantastic work! Thank you a lot @Jimmy-Z !

Got it working with RT-AX82U.

Here is full wall of text which I just copy & pasted to SSH client:

ip="10.14.15.15" # Default network static IP
vlanId1=50 # Default network VLAN ID
vlanId2=60 # Guest network 1 VLAN ID
vlanId3=70 # Guest network 2 VLAN ID

script="/jffs/scripts/services-start"

tee "${script}" > /dev/null << EOF
#!/bin/sh

# Ports in RT-AX82U:
# eth0 = LAN4
# eth1 = LAN3
# eth2 = LAN2
# eth3 = LAN1
# eth4 = WAN
# eth5 = 2.4 GHz
# eth6 = 5 GHz
# wl0.1 = Guest 1
# wl0.2 = Guest 2

# Tagged to WAN port (eth4):
# Default network: br0, vlan id ${vlanId1}
# Guest network 1: br1, vlan id ${vlanId2}
# Guest network 2: br2, vlan id ${vlanId3}

# Remove default configs
brctl delif br0 eth4
brctl delif br0 wl0.1
brctl delif br0 wl0.2

# Add VLANs
ip link add link eth4 name eth4.${vlanId1} type vlan id ${vlanId1}
ip link add link eth4 name eth4.${vlanId2} type vlan id ${vlanId2}
ip link add link eth4 name eth4.${vlanId3} type vlan id ${vlanId3}
ip link set eth4.${vlanId1} up
ip link set eth4.${vlanId2} up
ip link set eth4.${vlanId3} up

# Default network
ifconfig br0 "${ip}" netmask 255.255.255.0
brctl addif br0 eth4.${vlanId1}
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.${vlanId1}"

# Guest network 1
brctl addbr br1
brctl addif br1 eth4.${vlanId2}
brctl addif br1 wl0.1
ip link set br1 up
nvram set lan1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set br1_ifnames="wl0.1 eth4.${vlanId2}"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set wl0.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1

# Guest network 2
brctl addbr br2
brctl addif br2 eth4.${vlanId3}
brctl addif br2 wl0.2
ip link set br2 up
nvram set lan2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set br2_ifnames="wl0.2 eth4.${vlanId3}"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"
nvram set wl0.2_ap_isolate=1
wl -i wl0.2 ap_isolate 1

# Restart eapd
killall eapd
eapd
EOF

chmod a+x "${script}"
reboot

@Knud3 , I want to do this to AX88U with pfsense as router and a managed switch passing these values. Will this script work in this scenario?

@Knud3 , I want to do this to AX88U with pfsense as router and a managed switch passing these values. Will this script work in this scenario?

Do not know about AX88U, but I have exact that setup, pfSense and HP managed switches. Works really well.

I have managed to get VLAN working on AX88U, however, I cannot login to the web interface again. Any idea how to solve this

@Jimmy-Z , I modified the script to work on AX88U and it is routing Vlans correctly, Howver, I am locked out of the router login page. Do you have any idea what could have caused this or how to fix?

Thanks alot @Jimmy-Z and @Knud3 . I made this work on AX88U. My setup is PFsense + managed switch and 3 VLAN. Here is the modified script. Just the ports are a little different but everything is the same.

#ip="10.27.27.8" # Default network static IP
vlanId1=50 # Default network VLAN ID
vlanId2=60 # Guest network 1 VLAN ID
vlanId3=70 # Guest network 2 VLAN ID

script="/jffs/scripts/services-start"

tee "${script}" > /dev/null << EOF
#!/bin/sh

# Ports in RT-AX88U:
# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   Bridge of LAN 5, LAN 6, LAN 7, LAN 8
# eth6   2.4 GHz Radio
# eth7   5 GHz Radio
# wl0.1 = Guest 1
# wl0.2 = Guest 2


# Tagged to WAN port (eth0):
# Default network: br0, vlan id ${vlanId1}
# Guest network 1: br1, vlan id ${vlanId2}
# Guest network 2: br2, vlan id ${vlanId3}

# Remove default configs
brctl delif br0 eth0
brctl delif br0 wl0.1
brctl delif br0 wl1.1

# Add VLANs
ip link add link eth0 name eth0.${vlanId1} type vlan id ${vlanId1}
ip link add link eth0 name eth0.${vlanId2} type vlan id ${vlanId2}
ip link add link eth0 name eth0.${vlanId3} type vlan id ${vlanId3}
ip link set eth0.${vlanId1} up
ip link set eth0.${vlanId2} up
ip link set eth0.${vlanId3} up

# Default network
#ifconfig br0 "${ip}" netmask 255.255.255.0
brctl addif br0 eth0.${vlanId1}
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth0.${vlanId1}"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth0.${vlanId1}"

# Guest network 1
brctl addbr br1
brctl addif br1 eth0.${vlanId2}
brctl addif br1 wl0.1
ip link set br1 up
nvram set lan1_ifnames="wl0.1 eth0.${vlanId2}"
nvram set br1_ifnames="wl0.1 eth0.${vlanId2}"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set wl0.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1

# Guest network 2
brctl addbr br2
brctl addif br2 eth0.${vlanId3}
brctl addif br2 wl1.1
ip link set br2 up
nvram set lan2_ifnames="wl1.1 eth0.${vlanId3}"
nvram set br2_ifnames="wl1.1 eth0.${vlanId3}"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"
nvram set wl0.2_ap_isolate=1
wl -i wl1.1 ap_isolate 1

# Restart eapd
killall eapd
eapd
EOF

chmod a+x "${script}"
reboot

@demarey-baker How were you able to get to the Web UI? I have tried this multiple times and it seems like the connected interface is not a trunk port.

Should be Pfsense (Trunk Port) > Managed Switch (Trunk Port) > Asus (Trunk Port) > SSID's tagged for VLAN traffic

@robertr1229 tell more about your setup. Especially what you mean by trunk port? pfSense do not have trunk ports nor Asus. You have Cisco switch with DTP/VTP? Maybe just tell which networks you have VLAN tagged/untagged and which ports.

@robertr1229 , yes I got the webgui to work. Make sure you set the static ipaddress for the router as part of the main vlan. My problem was that I think it would be apart of the main network so I didn't have any access even though the vlan worked. Let me know if you have any other questions. Also, which router are you using exactly?
For reference this is my setup.
PFsense native lan : 10.27.27.0/24
VLAN 50 :10.27.50.0/24
VLAN 60 :10.27.60.0/24
VLAN 70 :10.27.70.0/24
I gave Asus router static address of 10.27.50.10 before running the script and I can always address it on that. Prior to this, I was doing it from native lan and it would always lose access. Everything works fine now but the vlans normally get messed up if you change the wifi settings like passwords etc but after a reboot everything works fine.

@robertr1229 tell more about your setup. Especially what you mean by trunk port? pfSense do not have trunk ports (I have heard some rack Netgate models have, but I doubt that you have one) nor Asus. You have Cisco switch with DTP/VTP? Maybe just tell which networks you have VLAN tagged/untagged and which ports.

I think the issue is not setting a static IP before running the script. As for Trunk ports. That is not a physical port. A Trunk port is used to transmit multiple tagged VLANS on a single port or "VLAN Aware" Asus Merlin may not be able to support it but PFSense definitely can. As well as any managed switch.

I also just saw your config for the RT-AX82U. I am using the same device and will give it a try. I would like to have Trunking but I can live with just setting it up on a Native VLAN.

Yes, I know what trunk ports are used for. pfSense definately supports tagging VLANs on single physical port, but if we are really talking about 802.1Q trunking it (DTP/VTP) is Cisco proprietary protocol. Other place where trunking word is sometimes used is link aggregation ("port trunking").