Need expert on vlanctl commands

[VoodooKing]

Hey guys. I am on Singtel's 1GB plan. Recently I just replaced Singtel issued router AC Elite with Asus RTAX86U. Now the STB isn't working. I know Singtel-Other profile configures for port 4 to connect STB, that works fine but I would like to retain my old setup.

Original setup
ONT > AC Elite Port 1 > TL-SG105E > STB, PC, PS4, Android TV (All works fine)

Now
ONT> RTAX86U Port 4 > TL-SG105E > STB works, the rest don't work

I know that through CLI, port 4 can probably carry VLAN10 and 20 and then the TL-SG105E can perform VLAN tagging/untagging. I'm now just stuck at configuring the port 4.

Table for reference
# eth0 -> WAN
# eth1 -> LAN4

# br(XX) > bridge

For Singtel-Other profile, the ports are configured as below (I removed the rest of the ports info otherwise become too long and can't post)

br0 Link encap:Ethernet HWaddr 58:11:22:7C:AB:68
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::5a11:22ff:fe7c:ab68%lo/64 Scope:Link
inet6 addr: 2400:d803:db4a:7338::1%1/64 Scope:Global
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:43853 errors:0 dropped:363 overruns:0 frame:0
TX packets:56272 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12685194 (12.0 MiB) TX bytes:48597749 (46.3 MiB)

br101 Link encap:Ethernet HWaddr 58:11:22:7C:AB:68
inet addr:219.74.115.56 Bcast:219.74.115.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:52937 errors:0 dropped:0 overruns:0 frame:0
TX packets:33984 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:46299966 (44.1 MiB) TX bytes:11691965 (11.1 MiB)

eth0 Link encap:Ethernet HWaddr 58:11:22:7C:AB:68
inet6 addr: fe80::5a11:22ff:fe7c:ab68%lo/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:52938 errors:0 dropped:0 overruns:0 frame:0
TX packets:33184 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:47464643 (45.2 MiB) TX bytes:11706375 (11.1 MiB)

eth0.v0 Link encap:Ethernet HWaddr 58:11:22:7C:AB:68
inet6 addr: fe80::5a11:22ff:fe7c:ab68%lo/64 Scope:Link
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:52938 errors:0 dropped:0 overruns:0 frame:0
TX packets:33668 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:46300032 (44.1 MiB) TX bytes:11634185 (11.0 MiB)

eth1 Link encap:Ethernet HWaddr 58:11:22:7C:AB:68
inet6 addr: fe80::5a11:22ff:fe7c:ab68%lo/64 Scope:Link
UP BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:117 errors:0 dropped:117 overruns:0 frame:0
TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14708 (14.3 KiB) TX bytes:3731 (3.6 KiB)

eth1.v0 Link encap:Ethernet HWaddr 58:11:22:7C:AB:68
inet6 addr: fe80::5a11:22ff:fe7c:ab68%lo/64 Scope:Link
UP BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:1350 (1.3 KiB)

Info for Port4 STB interface
#root: vlanctl --if eth1 --rx --tags 0 --show-table

VLAN Rule Table : eth1, Rx, nbrOfTags 0, default DROP
--------------------------------------------------------------------------------
===> eth1 (ONT) : RX, 0 tag(s)
Tag Rule ID : 0
Rx VLAN Device : eth1.v0
Filters
VlanDev MacAddr : No
Commands
00:[PUSH_TAG, 0x00008100, 0x00000001]
01:[SET_VID, 0x00000014, 0x00000000]
02:[SET_PBITS, 0x00000004, 0x00000000]
Rule Type : Flow
Hit Count : 0
--------------------------------------------------------------------------------

#root: brctl show

br0
eth2
eth3
eth4
eth5
eth6
eth7

br101
eth0.v0
eth1.v0


So eth1 (Port 4) in Singtel-Other profile is configured where a STB will get an IP address. I tried to add VLAN 10 to eth1 and then add it to br0 but it didn't work.

#root: vlanctl --mcast --if-create eth1 1
#root: vlanctl --if eth1 --tx --tags 0 --filter-txif eth1.v1 --push-tag --set-vid 10 0 --rule-append (Assign VLAN10 to the eth1.v1 interface..I think)
#root: vlanctl --if eth1 --rx --tags 1 --filter-vid 10 0 --pop-tag --set-rxif eth1.v1 --rule-append
#root: ifconfig eth1.v1 up
#root: brctl addif br0 eth1.v1

Both VLANs are now on Port 4 but I think the rules and commands wrong, should eth1.v1 be default DROP? eth1.v0 has Set_PBITS and documentation shows which I have no clue.

--set-pbits <pbits> <tag_nbr> Set the PBITS value of the VLAN Header number <tag_nbr> to <pbits>.

#root: vlanctl --if eth1 --rx --tags 0 --show-table
VLAN Rule Table : eth1, Tx, nbrOfTags 0, default ACCEPT
--------------------------------------------------------------------------------
===> eth1 (ONT) : TX, 0 tag(s)
Tag Rule ID : 0
Rx VLAN Device : DEFAULT
Filters
Rx REALIF :
Tx VLANIF : eth1.v1
Commands
00:[PUSH_TAG, 0x00008100, 0x00000001]
01:[SET_VID, 0x0000000A, 0x00000000]
Rule Type : Flow
Hit Count : 0
--------------------------------------------------------------------------------
VLAN Rule Table : eth1, Rx, nbrOfTags 0, default DROP
--------------------------------------------------------------------------------
===> eth1 (ONT) : RX, 0 tag(s)
Tag Rule ID : 0
Rx VLAN Device : eth1.v0
Filters
VlanDev MacAddr : No
Commands
00:[PUSH_TAG, 0x00008100, 0x00000001]
01:[SET_VID, 0x00000014, 0x00000000]
02:[SET_PBITS, 0x00000004, 0x00000000]
Rule Type : Flow
Hit Count : 0
--------------------------------------------------------------------------------

root# brctl show

br0
eth1.v1
eth2
eth3
eth4
eth5
eth6
eth7

br101
eth0.v0
eth1.v0


My resources were taken from
https://www.snbforums.com/threads/v...untagged-traffic-rt-ax86u-and-rt-ax88u.78411/https://www.snbforums.com/threads/asus-ac-86u-vlan-utility.55664/https://forums.hardwarezone.com.sg/...-singtel-asus-rt-ax86u.6564040/post-137421693
I thought I'd ask here and see if anyone knows what I'm doing wrong and maybe have an idea.

 

[xiaofan]

Wow, this is advanced stuff. I think even Asus engineers did not figure out how to do this. Let's see if the real experts here can help you out or not.

As far as I know, non of the third party consumer routers can do this as of now. Maybe things like pfSense or OpenWRT can do this.

 

[VoodooKing]

Haha, it's entirely possible. Pretty sure the Asus engineers can do it if they dedicate their time to it.

The guy in the post below created several VLANs, assigned them to bridges and assigned all the bridges to the WAN port, that goes to connect to his managed switch to segregate out to different networks . I think I'm close but just got stuck.

https://www.snbforums.com/threads/v...untagged-traffic-rt-ax86u-and-rt-ax88u.78411/
If I can figure it out, I think it will help a lot of Asus router users who are using Singtel-Others profile but wish that they can connect a switch to port 4 and connect STB and other devices instead of just dedicating the port to STB.

 

[TanKianW]

You need to be well verse not just on the software level but also the knowledge of hardware features and limitations to pull this off. Unless you are one of the developers, i will think it is not going to be easy. Don't take my words for it, I am not the expert.

From what I know, router vendors signed some form of NDA with the chip suppliers (Eg. Mediatek, Broadcom, Qualcomm, etc) on the architecture features in order to facilitate them to write their firmware (some form of Linux). So unless there is an “insider”, chances are slim.​

 

[xiaofan]

Haha, it's entirely possible. Pretty sure the Asus engineers can do it if they dedicate their time to it.
...
If I can figure it out, I think it will help a lot of Asus router users who are using Singtel-Others profile but wish that they can connect a switch to port 4 and connect STB and other devices instead of just dedicating the port to STB.

It will be great that you can get this working. If not I will recommend an alternative solution to use the VLAN capable switch in front of the router.

For example you can use the following.
ONT --> TL-SG105E --> RT-AX86U
ONT --> STB or
ONT --> Singtel issued router (disable wifi) --> Singtel STB

I am using the following configuration myself.
ONT --> TL-SG105E --> RT-AX82U (with VLAN) --> Singtel STB
ONT --> OpenWRT / pfSense --> Huawei AX3 Quad Core Global version as AP

Reference:
https://forums.hardwarezone.com.sg/threads/quick-primer-to-vlans.6648144/

 

[VoodooKing]

Yeah, I could put the switch in front of the ONT. Anyway the STB I haven't watched for some time, only watch when there's free channels during some of our celebrations since I had cancelled STB last year and they ask me to keep the box for free.

I'll experiment some more.

Below is original rule table for port4 STB if you have any head or tails on understanding it. I only figured out.

RX= Receive?
TX= Transmit?

So I'm thinking to try remove all the rules and see if the port itself already at default VLAN 1, that would make it so much easier. The reason is because when I tried to enter 1 in the VLAN ID at router GUI, it says enter a value of 2 or higher.

 

[xiaofan]

VLAN ID 1 is by default. You should not worry about it.

 

[VoodooKing]

Yep, just thinking whether if I remove all the port 4 vlan 20 info, will it then revert to vlan 1 and I just play around on the switch level. Here's hoping. lol.

 

[bert64]

The Linux bridging code filters certain reserved addresses by default (this includes multicast addresses), you can turn that off by changing the group_fwd_mask setting (depending on your kernel version):

echo 65535 > /sys/class/net/br0/bridge/group_fwd_mask

try values 65535, 8 or 49144 and see how you go.

If that doesn't work, tcpdump the traffic with the -e option and see what traffic comes in on each side of the bridge, it should be fairly obvious to identify traffic that is coming in one side but not being forwarded out again the other side.

 

[xiaofan]

Not exactly related, but I was trying to get Singtel TV to work with pfSense directly without using a VLAN switch, but it did not work. I rememver the problem is VLAN Priority 4 which pfSense does not support. As per @TanKianW, I need to add a VLAN switch (a Singtel issue router may well work as well) between the pfSense router and the Singtel TV box.

@VoodooKing

Sorry what I say below can be totally wrong, just want to share my thoughts.
I think the issue is that if you have both VLAN 10 and VLAN 20 to the Port 4, it becomes the trunk port. Singtel TV box will not work. But if you add a Singtel issued router in between, it will work.

Normal configuration:
Singtel ONT -- Asus with Singtel-Other VLAN profile Port 4 (VLAN 20, no Internet) -- Singtel TV box

Special configuration
Singtel ONT -- Asus with special VLAN configuration (VLAN 10/20, trunk port) -- Singtel issued router -- Singtel TV box

It is similar to what you want to do, but it may work as the Singtel issued router may have some magic inside.
ONT> RTAX86U Port 4 > TL-SG105E > STB works, the rest (Internet) don't work

 

[VoodooKing]

Yes, I want to make it into a trunk port and then have the managed switch do the tag/untag. I really do wish Singtel would share their magic on their AC Elite. This guy below got it for his own network.

https://www.snbforums.com/threads/v...untagged-traffic-rt-ax86u-and-rt-ax88u.78411/
Last time when I was working with Cisco switches, it all seemed so much easier, incoming trunk on switch port 1 and then the rest of the port just aside assign VLAN.

Anyway I've put on hold this project because after restarting the router like a hundred times, plugging my LAN wire in and out for testing, I became tired. Also the documentation on vlanctl is quite sparse and I'm not sure about the filter settings.

 

[bert64]

Yes, I want to make it into a trunk port and then have the managed switch do the tag/untag. I really do wish Singtel would share their magic on their AC Elite. This guy below got it for his own network.

https://www.snbforums.com/threads/v...untagged-traffic-rt-ax86u-and-rt-ax88u.78411/
Last time when I was working with Cisco switches, it all seemed so much easier, incoming trunk on switch port 1 and then the rest of the port just aside assign VLAN.

Anyway I've put on hold this project because after restarting the router like a hundred times, plugging my LAN wire in and out for testing, I became tired. Also the documentation on vlanctl is quite sparse and I'm not sure about the filter settings.

A switch works a bit differently to a bridge, it generally won't make any effort to filter anything, actually adding filtering complicates the switching ASIC and reduces performance.
A bridge is supposed (as per rfc) to filter certain things like 802.1x authentication by default, and then you have the added overhead of having to process the expected vlan tags.
There is also such a thing as nested vlan tags (QinQ), not sure if that's in use here but it could also be a factor.

The IPTV setup is a mess of multicast over legacy ip (itself a hack), provisioned over a separate vlan because the technology would not work over the main link due to nat anyway.

Easiest thing would be to tcpdump both sides of the bridge and see what's not getting passed through (or gets modified as it passes through) and adjust filtering settings until everything passes unmodified. Shouldn't be any need to restart or unplug anything.

 

[kyrios]

@VoodooKing
have you solved the code?
I'm in same boat with you, still can't figure out the right code.
https://www.snbforums.com/threads/simple-vlan-native-with-tagged-vlan-from-ac-68u-to-ac-86u.81775/

 

[VoodooKing]

No, I haven't.

 

[kyrios]

@VoodooKing
I've solved my problem just 5 min ago after reading this article as well.
Just like you, I've plugged and unplugged numerous times of LAN cable, just checking whether
the code is correct or not.
To shorten the trial pricess, I've pasted the code into SSH (not written to services-start file).
If something wrong, I just OFF-then-ON the switch, then AC86U back to dumb AP mode.

https://twd2.me/archives/14754

 

[xiaofan]

Code from the above website: https://twd2.me/archives/14754

I tend to think the code "ethswctl -c hw-switching -o disable" may affect the LAN performance.

LAN 1 -- trunk
LAN 3 -- smart TV, VLAN 4
LAN 4 -- IPTV, VLAN 2

SSID and SSID_5G --> for normal 2.4GHz and 5GHz wireless
SSID_IOT --> VLAN 4 for IoT devices
SSID_IPTV --> VLAN 2 for IPTV

1. vlan.sh

#!/bin/bash
 
WAN=eth0
LAN1=eth4
LAN2=eth3
LAN3=eth2
LAN4=eth1
LAN5_8=eth5
WLAN2_4G_0=eth6
WLAN5G_0=eth7
WLAN2_4G_1=wl0.1
WLAN5G_1=wl1.1
WLAN2_4G_2=wl0.2
WLAN5G_2=wl1.2
WLAN2_4G_3=wl0.3
WLAN5G_3=wl1.3
 
function create_vlan_untagged {
    local if=${1}
    local vlanid=${2}
 
    vlanctl --mcast --if-create-name ${if} ${if}.${vlanid}
    vlanctl --if ${if} --rx --tags 0 --set-rxif ${if}.${vlanid} --rule-append
    ifconfig ${if}.${vlanid} up
}
 
function create_vlan_tagged {
    local if=${1}
    local vlanid=${2}
 
    vlanctl --mcast --if-create-name ${if} ${if}.${vlanid}
    vlanctl --if ${if} --rx --tags 1 --filter-vid ${vlanid} 0 --pop-tag --set-rxif ${if}.${vlanid} --rule-append
    vlanctl --if ${if} --tx --tags 0 --filter-txif ${if}.${vlanid} --push-tag --set-vid ${vlanid} 0 --rule-append
    ifconfig ${if}.${vlanid} up
}
 
# LAN1: Trunk, 1 untagged, 2 tagged, 4 tagged
# LAN3: 4 untagged
# LAN4: 2 untagged
# WLAN2_4G_1 (IoT): 4 untagged
# WLAN2_4G_2 (IPTV): 2 untagged
 
create_vlan_untagged ${LAN1} 1
create_vlan_tagged ${LAN1} 2
create_vlan_tagged ${LAN1} 4
 
brctl addif br0 ${LAN1}.1
brctl delif br0 ${LAN1}
 
brctl addbr vlan4
brctl addif vlan4 ${LAN1}.4
brctl delif br0 ${LAN3}
brctl addif vlan4 ${LAN3}
brctl delif br0 ${WLAN2_4G_1}
brctl addif vlan4 ${WLAN2_4G_1}
ifconfig vlan4 up
 
brctl addbr vlan2
brctl addif vlan2 ${LAN1}.2
brctl delif br0 ${LAN4}
brctl addif vlan2 ${LAN4}
brctl delif br0 ${WLAN2_4G_2}
brctl addif vlan2 ${WLAN2_4G_2}
ifconfig vlan2 up
 
vlanctl --if ${LAN1} --set-if-mode-rg
 
ethswctl -c hw-switching -o disable
 
vlanctl --rule-dump-all

2. ensure_br.sh

#!/bin/bash
 
WAN=eth0
LAN1=eth4
LAN2=eth3
LAN3=eth2
LAN4=eth1
LAN5_8=eth5
WLAN2_4G_0=eth6
WLAN5G_0=eth7
WLAN2_4G_1=wl0.1
WLAN5G_1=wl1.1
WLAN2_4G_2=wl0.2
WLAN5G_2=wl1.2
WLAN2_4G_3=wl0.3
WLAN5G_3=wl1.3

function ensure_br {
    local br=${1}
    local if=${2}
 
    if brctl show br0 | grep ${if}; then
        brctl delif br0 ${if}
        brctl addif ${br} ${if}
    fi
}
 
ensure_br vlan4 ${WLAN2_4G_1}
ensure_br vlan2 ${WLAN2_4G_2}

 

[xiaofan]

I've solved my problem just 5 min ago after reading this article as well.
Just like you, I've plugged and unplugged numerous times of LAN cable, just checking whether
the code is correct or not.
To shorten the trial pricess, I've pasted the code into SSH (not written to services-start file).
If something wrong, I just OFF-then-ON the switch, then AC86U back to dumb AP mode.

https://twd2.me/archives/14754

Just wondering if you can share what you have done so that the forum readers here may benefit from your learning as well. Thanks a lot in advance.