Help with VLAN on ASUS RT-AX1800S

Installing and Using OpenWrt
1

For 4 LAN ports, port 1 is for admin, and not using VLAN.

Ports 2, 3, 4 are part of a bridge, and used for VLAN

Port 2 is mapped to a VLAN 11 (untagged), and has static IP, which is also another subnet for
accessing LUCI.

Port 3 is mapped to VLAN 81, meant to let connected device to get on to the Internet, gets its IP from upstream device, set to
unmanaged.

Port 4 is meant for uplink trunk, with all VLAN numbers tagged.

I was able to get port 2 VLAN to work, and accessing LUCI before, many times. However, it
stopped working after I cleared everything, and redo it.

Port 4 Ethernet cable light is NOT on. I experimented, and add an interface directly on the Port 4,
and the cable light turned on.

Currently, nothing works, except local LAN accessing LUCI.

Here is the network config:

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd12:71d8:3ce3::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.1.32.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'
option device 'wan'
option proto 'dhcp'

config device
option type 'bridge'
option name 'br-lan2'
list ports 'eth0'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config bridge-vlan
option device 'br-lan2'
option vlan '81'
list ports 'eth0:t'
list ports 'lan3'
list ports 'lan4:t'

config bridge-vlan
option device 'br-lan2'
option vlan '11'
list ports 'eth0:t'
list ports 'lan2'
list ports 'lan4:t'

config interface 'CommonNet'
option proto 'none'
option device 'br-lan2.81'

config interface 'lan2'
option proto 'static'
option device 'br-lan2.11'
option ipaddr '10.1.31.1'
option netmask '255.255.255.0'

(pre-formatted text keeps crashing browsers, 5 times already)

Here is firewall config:

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '\*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'lan2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan2'

config zone
option name 'CommonFW'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'CommonNet'
2

Next time, try using the markdown mode (instead of rich text) in the editor (blue oval, then use the </> code block to enclose your output):

Screenshot 2025-10-20 at 8.14.14 PM

Meanwhile, it would be good to have a better understanding of your network topology -- specifically:

  • Is the wan port being used?
  • If you're using the wan, is that the connection to the internet?
  • If not, what is the upstream router?
    • Is it VLAN aware?
    • What VLANs are setup there?
    • What are the address(es) that the upstream router uses?
  • Is the RT-AX1800S port lan4 connected to a managed switch? Or a router?

A diagram of the network could be really useful.

Anyway, there are a bunch of changes that are required here regardless of those answers... I'll show you those changes, but things may not work as expected if the wan isn't being used for the upstream.

Starting with the bridges -- you need all ports in a single bridge, and eth0 should not be in there.

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'lan1'
    list ports 'lan2'
    list ports 'lan3'
    list ports 'lan4'

Delete the other bridge:

Now, we'll edit the bridge-VLANs so that they use the correct bridge and we'll remove eth0:

config bridge-vlan
    option device 'br-lan'
    option vlan '81'
    list ports 'lan3:u*'
    list ports 'lan4:t'

config bridge-vlan
    option device 'br-lan'
    option vlan '11'
    list ports 'lan2:u*'
    list ports 'lan4:t'

We need to add another bridge-vlan for the lan interface:

config bridge-vlan
   option device 'br-lan'
   option vlan '32'
   list ports 'lan1:u*'

Now we'll edit the network Interfaces to use br-lan.x:

config interface 'lan'
    option device 'br-lan.32'
    option proto 'static'
    option ipaddr '10.1.32.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
...

config interface 'CommonNet'
    option proto 'none'
    option device 'br-lan1.81'

config interface 'lan2'
    option proto 'static'
    option device 'br-lan.11'
    option ipaddr '10.1.31.1'
    option netmask '255.255.255.0'

Because CommonNet is unmanaged, we can delete the firewall zone associated with it:

This should fix the misconfigured elements, but there are still questions about how this network connects to the upstream and also what lan2's connectivity is supposed to be.

1 Like
3

After 1 day of struggled, I resolved the issue (after given up fighting).

The way I did it is I imported from another device configuration that I backed up.

I needed to redo all wireless configurations, but it works.

The newest configuration has only lan1, lan2, lan3 and lan4 in the ONLY bridge (eth0 is not in there). It does not have any other LAN bridge/interface.

In this bridge, I added tag 1 for the admin subnet:

config bridge-vlan
  option device 'br-lan1'
  option vlan '1'
  list ports 'lan1:u*'

Other configs for VLAN filtering are the same concept (untag for plugged in client, tagged for uplink/trunk, otherwise not used).

Just that and it works. I am not sure if this is documented somewhere, but just go and add various bridges does not work. I came up with the idea of keep the “original” LAN for admin, and add an additional VLAN for admin, so that once it works, I can remove the other one (non-VLAN config). That worked this afternoon only for the two LANs, but everything else not working including uplink.

Then suddenly it stopped working. I wish I backed up the config to compare, but I didn’t.

I am too beaten up to try the WAN port as uplink. Probably tomorrow evening.

Hope this helps someone.

4

This is a recipe for major problems. Don't import backup configs from other devices.

You should start from scratch -- trust me on this.

5

Thanks. I will do that tomorrow. If the two devices have identical model, would it still be a bad idea? Just curious to know. And what is the problem (other than future compatibility issue, hidden security issue, etc.)?

6

Yes, still a bad idea. This is because the MAC addresses may be found in the config files -- duplicate MACs can cause major network issues.

7

I see. That makes sense.

8

wow, I didn’t realized you helped above there. Thank you very much! Would you mind giving me some pointer to where they document those part you mentioned (such as only a single bridge and eth0 should not be in there, etc.)? For the wan port, if it’s upstream port, can we add it to the same bridge? I added eth0 thinking it may help with CPU port or something of that “sort” that needed in older router. I later removed it, but the router keeps crashing every time I removed it and save/apply.

9

I don't know if there is a place that documents the fact that a single bridge is (usually) necessary, and is generally best practice except in very specific situations. That said, this is the document I usually point to:

It depends on how the wan port is being used. For a bridged-AP where the wan port is 'just another port', sure you can add it to the bridge. In most normal router situations (where the wan is the uplink to the internet), it usually doesn't make sense to add it to the bridge, but it can be done if needed.

eth0 is the internal connection between the CPU and the switch. It is abstracted away in DSA devices, so it shouldn't be included explicitly in the configs.

I don't know why it was crashing, but the config I provided should work.

1 Like
10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.