ASUS, VLAN on Purple
New to Firewalla, amazed at how simple it is, and have a red working perfectly in simple mode, but ordered a Purple "just because". I'm not a network guy, so excuse any improper network terms, I'm "internet educated" here.
Setup: 3 ASUS routers, two in AP mode using AIMesh. Main router (AX58U) running Merlin. Ethernet backhaul. 2 Managed switches. 2 Guest networks created through the UI, one 2.4Ghz, one 5 Ghz with different SSIDs (one for IOT, one for TVs). When ASUS creates the Guest networks, it uses VLANs. The 2.4Ghz is VID:501 the 5Ghz is VID:502. These map to xxx.xxx.101.xxx and xxx.xxx.102.xxx subnets. I set up the switches with QVLAN settings and have some hardwired ports mapped to the Guest network on the switches, and everything works great.
The question is, when I get the Firewalla purple, the main router will become an AP, if I create VLAN ID 501 and 502 on the purple, do you think this will just work? They must have the WAN port as a trunk, as that's what's used for the backhaul, so I think it should, but as there's no built in VLAN support in the UI I don't know. If it doesn't, I'm sure there's a way to get it to work, but wondering if I'm being too optimistic on it being easy.
-
I have not gotten the purple firewalla yet, they started shipping last week, so hopefully in the next 2 weeks I'll get it. As for managed switches, I have one 5-port tp-link TL-SG105E, and one 8-port Netgear GS908E. Each was under $20 at the time I bought them, but have been really reliable. If you have similar TP-Link or Netgear switches and want screenshot of the admin pages let me know (assuming we can put images here).
-
Got the Purple. Set up in router mode, but unfortunately when you put the Asus into AP mode the VLAN's for the wireless Guest networks go away. There are a few scripts on the internet for mapping wl0.1 and wl1.1 to VLANs but so far when I do it, they can't access the router for DHCP. Haven't spent much time on it yet, but if I get it to work, I'll post.
-
Got this working today - with minor possible issues. It's mainly based on the script here: https://gist.github.com/Jimmy-Z/ (services-start.sh). The trickiest part is figuring out how the physical ports are mapped to the interface. On my AX58, eth4 is the WAN, and eth3 is port 1. Everything works there as expected. The node is an AX55, so no Merlin firmware which means there's no "scripts" folder to have it run automatically. I don't reboot often, but that will be an annoyance. Anyway, here's the script. Hopefully it's OK to post it here.
# VLAN script, for ASUS AX58 with merlin
#
# setup before hand:
# set "router" to "AP Mode" this will put all ports and wireless in br0
# Create 2 guest networks, 1 2.4, 1 5Ghz
# enable Administration => System => Enable JFFS custom scripts and configs (default)
# put this script in /jffs/scripts/, name should be "services-start" remember `chmod a+x services-start`
# reboot
# Ports are as follows
# eth4 => WAN port
# eth3=>Port1 (Physical)
# eth2=>Port2
# eth1=>Port3
# eth0=>Port4
# eth5 => WiFi 2.4G
# eth6 => WiFi 5G
# wl0.1 => WiFi 2.4G guest networks
# wl1.1 => WiFi 5G guest networks
# this setup:
# WAN port (eth4) will be repurposed as a tagged port
# LAN ports (eth1~4) and primary WiFi (eth5,6) will be on VLAN 1 (default))
# LAN physical port 1, eth3, goes to Mesh node (so needs to accept VLAN 501 and 502)
# guest2.4 network 1 will be on VLAN 501
# guest5G network 2 will be on VLAN 502#remove eth4 (WAN) which will be reconfigured as a tagged port
brctl delif br0 eth4# remove interfaces we're moving to other bridges (the 2 wifi's)
brctl delif br0 wl0.1
brctl delif br0 wl1.1#we'll need two new bridges, one for each VLAN
brctl addbr br1
brctl addbr br2# ip link add link eth4 name eth4.1 type vlan id 1
#Create the names
ip link add link eth4 name eth4.501 type vlan id 501
ip link add link eth4 name eth4.502 type vlan id 502#Bring the links up
ip link set eth4.501 up
ip link set eth4.502 up#Add VLANS to the bridges
brctl addif br1 eth4.501
brctl addif br2 eth4.502#Add the 2 wireless interfaces to their respective bridges
brctl addif br1 wl0.1
brctl addif br2 wl1.1#Bring up the bridges
ip link set br1 up
ip link set br2 up
brctl stp br1 on
brctl stp br2 on# Using port 1 for connection to the mesh , so we need to do the same to it
## eth3 is port 1 where we are plugged in, so
#Create the VLANS
ip link add link eth3 name eth3.501 type vlan id 501
ip link add link eth3 name eth3.502 type vlan id 502
# bring the links up
ip link set eth3.501 up
ip link set eth3.502 up
# add the links to the respective bridges
brctl addif br1 eth3.501
brctl addif br2 eth3.502# no idea if this is needed
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6"
nvram set lan1_ifnames="wl0.1 eth3.501 eth4.501"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="wl1.1 eth3.502 eth4.502"
nvram set lan2_ifname="br2"#pretty sure this is not needed
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6"
nvram set br1_ifnames="wl0.1 eth3.501 eth4.501"
nvram set br1_ifname="br1"
nvram set br2_ifnames="wl1.1 eth3.502 eth4.502"
nvram set br2_ifname="br2"brctl addif br0 eth4
brctl stp br0 onkillall eapd
eapd
# What it looks like with: brctl show
# bridge name bridge id STP enabled interfaces
# br0 8000.fc3491218dd8 no eth0
# eth1
# eth2
# eth3
# eth4
# eth5
# eth6
# tap21
# br1 8000.fc3123218dd8 no eth3.501
# eth4.501
# wl0.1
# br2 8000.fc123418dd8 no eth3.502
# eth4.502
# wl1.1 -
Rich,
This script works perfectly after tweaking it for my setup. I have a RT-AX86U was the first AP and RT-AX58U as my other 2 APs so there's an AP on each floor.
Your script is showing the letter l instead of the number 1 for the guest networks, I found, it's a 10 and 11, not a l0 and l1.
The AX86U WAN port is Eth0 instead of Eth4 that AX58U has.
I tried AiMesh, it appears the guest networks don't show at all when using brctrl show on the AiMesh nodes. I did figure out how to get the jffs script enabled to work by using a nvram set command on the AiMesh nodes since you cannot enable it in the GUI but it was useless since I could never get the wireless guest networks to show to setup the guest networks on a VLAN. You can get VLAN setup on AiMesh on the Ethernet ports though. I'm happy though using AP mode though on my 3 ASUS routers and having VLAN working perfectly on all 3 routers.
-
Glad it works, On mine it's definitely (lower case) WL0.1 and WL1.1. Are you using the Merlin firmware? It has the jffs partition in the UI, but if you're not can you post how you enabled it? I have an AX55 which doesn't support Merlin so don't have the partition on there which means the VLAN doesn't survive a reboot. It hasn't really been an issue since I rarely lose power or reboot it, but it'd be nice to have.
One thing I have found is that the Guest VLAN does some isolation. On the guest network, if I join, I can ping/access other devices on the Guest network, but when I put my Amazon echo's there, everything works except multiroom music. This is the case even if I put them all on a single AP. Using a different AP (that natively supports VLANs) doesn't have the same issue.
-
I have Merlin in all 3 routers (RT-AX86U and the 2 RT-AX58U) so not sure why my guest networks are using the number 1 instead of L on my AX58U or my AX86U routers. Not sure about a router that isn't on Merlin but I did nvram show which shows all nvram configuration settings so best to copy/paste it into Notepad Plus or any notepad app so you can search.
On Merlin I found mine is set like this with jffs2 is enabled on GUI.
jffs2_auto_erase=0
jffs2_format=0
jffs2_on=1
jffs2_scripts=1
jffs2_state=3The one with AiMesh I was experimenting with days ago had jffs2_on & jffs2_scripts set to 0 so I just updated them to 1 to get the jffs2 script to work. To do that, do the following.
nvram set jffs2_on=1
nvram set jffs2_scripts=1Setting these settings seems to survive reboots.
There is also a way if an ASUS router doesn't have Merlin to use the USB stick on the USB port and just keep it plugged in if you do the nvram set command on script_usbmount= which will survive reboots. You would have the services-start script on the USB flash drive for that to work but I have never tried it.
As far as VLANs goes, I don't seem to have any issues with that at all like you are with the multi-room on Echos or any of my other IoT devices being across 3 APs and some on an Ethernet switch using VLAN. I'm running Hubitat for my smart home along with many other smart home systems all connected together:
- Lutron for lighting
- Hue (my 3 outdoor bulbs)
- Lifx (some indoor bulbs)
- Ring (for cameras and security)
- Amazon Smart Speakers (4 speakers, 2 Echo Shows)
- Google Home (3 speakers)
- Kasa plugs
- Bunch of Zigbee/Z-Wave on Hubitat hub (None of those uses Wi-Fi)
I have all of my IoT devices isolated on its own VLAN. I have my PC and mobile phones setup to be able to access the IoT VLAN but nothing else locally can.
-
Here's my AX58 services-start:
# VLAN script, for ASUS AX58 with merlin
#
# setup before hand:
# set "router" to "AP Mode" this will put all ports and wireless in br0
# Create 4 guest networks, 2 2.4, 2 5Ghz
# enable Administration => System => Enable JFFS custom scripts and configs (default)
# put this script in /jffs/scripts/, name should be "services-start" remember `chmod a+x services-start`
# reboot
# Ports are as follows
# eth4 => WAN port
# eth3=>Port1 (Physical)
# eth2=>Port2
# eth1=>Port3
# eth0=>Port4
# eth5 => WiFi 2.4G
# eth6 => WiFi 5G
# w10.1 => WiFi 2.4G guest network 1
# w11.1 => WiFi 5G guest network 1
# w10.2 => WiFi 2.4G guest network 2
# w11.2 => WiFi 5G guest network 2
# w10.3 => WiFi 2.4G guest network 3
# w11.3 => WiFi 5G guest network 3
# This setup:
# WAN port (eth4) will be repurposed as a tagged port
# LAN ports (eth1~4) and primary WiFi (eth5,6) will be on VLAN 1 (default))
# Guest 2.4 network 1 will be on VLAN 2
# Guest 5G network 1 will be on VLAN 2
# Guest 2.4 network 2 will be on VLAN 4
# Guest 5G network 2 will be on VLAN 4#Remove eth4 (WAN) which will be reconfigured as a tagged port
brctl delif br0 eth4#Remove interfaces we're moving to other bridges (the 2 wifi's)
brctl delif br0 w10.1
brctl delif br0 w11.1
brctl delif br0 w10.2
brctl delif br0 w11.2#We'll need two new bridges, one for each VLAN
brctl addbr br1
brctl addbr br2#Create the names
ip link add link eth4 name eth4.2 type vlan id 2
ip link add link eth0 name eth4.3 type vlan id 4#Bring the links up
ip link set eth4.2 up
ip link set eth4.3 up#Add VLANS to the bridges
brctl addif br1 eth4.2
brctl addif br2 eth4.3#Add the 4 wireless interfaces to their respective bridges
brctl addif br1 w10.1
brctl addif br1 w11.1
brctl addif br2 w10.2
brctl addif br2 w11.2#Bring up the bridges
ip link set br1 up
brctl stp br1 on
ip link set br2 up
brctl stp br2 on# nvram settings
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth6"
nvram set lan1_ifnames="w10.1 w11.1 eth4.2"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="w10.2 w11.2 eth4.3"
nvram set lan2_ifname="br2"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth6"
nvram set br1_ifnames="w10.1 w11.1 eth4.2"
nvram set br1_ifname="br1"
nvram set br2_ifnames="w10.2 w11.2 eth4.3"
nvram set br2_ifname="br2"#Enable br0
brctl addif br0 eth4
brctl stp br0 on#restart eapd
killall eapd
eapd -
Thanks! I started looking at the JFFS (it was already set to 1) and it dawned on me, the issue isn't enabling that, it's getting a script to run at startup (without Merlin).
Glad to know Echo music works for you. I may try playing with it more, In the UI now, do you show the 2 new Wireless networks? wl01. and wl1.1 were there when I enabled the first guest network in the UI, maybe w10.x and w11.x are the 2nd and third guest networks? What does the brctl show look like? I didn't try using them since the other node doesn't have Merlin.
I'm sure you know, but with nvram show you can also limit what comes back by including grep to search it. So nvram show | grep jffs
-
I guess I was looking at it wrong all along. It definitely is the letter l, not a 1. The odd thing is the services-start I have I changed them all from letter l to number 1 and it still works and displays them as the letter l on brctl show.
So, it's wl0.1 and wl1.1 for guest 1, wl0.2 and wl1.2 or guest 2 and wl0.3 and wl1.3 for guest 3.
That was before I did anything that's how it was showing, I have 3 guest networks on my AX-86U to broadcast the VLAN for my work network just on that 1 AP and 2 on my other 2 APs.
Here's brctl show from my AX-58U with 1 main wireless network and 2 guest networks/2 VLANs:
bridge name bridge id STP enabled interfaces
br0 8000.a85e45f33360 yes eth0
eth1
eth2
eth3
eth4
eth5
eth6
br1 8000.a85e45f33360 yes eth4.2
wl0.1
wl1.1
br2 8000.a85e45f33360 yes eth4.3
wl0.2
wl1.2Thanks, about the advice about grep. I forgot about that when I first did it a few days ago and obviously that would have been quicker than my method.
-
I started looking at the JFFS (it was already set to 1) and it dawned on me, the issue isn't enabling that, it's getting a script to run at startup (without Merlin).
This should work even on stock (no merlin) with a USB Flash Drive if this model has a USB port on it. It would just need the "nvram set script_usbmount=" set to go to the jffs folder on your flash drive. This would allow it to survive reboots but would require the flash drive to always be connected.
Finding what each eth number would still need done though so you know which one to program, the system log seems to show in the GUI whenever you disconnect an Ethernet port if you need to know which one is the WAN port.
-
That part I've done - I've been using it as a mesh node for months and it works well. Although I think the 4 ethernet ports are a single entity:
# AX55
# eth0 is WAN
# eth1 is "everything else?"
# Wl0.1 is "main" 2.4g , wl1.1 is "main" 5g so leave alone
# wl0.2 is Guest 2.4Ghz
# wl1.2 is Guest 5Ghz
The saving of the script to jffs (or USB) isn't an issue, but what would cause it to run? I was under the impression that without Merlin, there is no "scripts" folder and (or service-star file) so just putting a file there (I assume wouldn't "do" anything. Is that not right?
...I see what you were driving at with the USB. Looks like there's a hack to run a script when the USB is mounted (which happens at reboot) so it would work...if this model hade a USB. Thanks though.
Please sign in to leave a comment.
Comments
12 comments