b1tman1ac · October 3, 2023 18:32 · Dec 29, 2020 · Dec 29, 2020 · Dec 29, 2020 · Aug 18, 2020
diff --git a/services-start.sh b/services-start.sh
@@ -2,9 +2,9 @@
 
 # references
 # NVRAM reference = https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports
-# Original Script Reference = <script src="https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4.js"></script>
-# Forked Script Reference = <script src="https://gist.github.com/tubaxiaosiji/d6c969797e470aa3eadfbfd6a966aa60.js"></script>
-# This Script = <script src="https://gist.github.com/b1tman1ac/3d2cad0094e78a587f217a0720c9c11c.js"></script>
+# Original Script Reference = https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
+# Forked Script Reference = https://gist.github.com/tubaxiaosiji/d6c969797e470aa3eadfbfd6a966aa60
+# This Script = https://gist.github.com/b1tman1ac/3d2cad0094e78a587f217a0720c9c11c
 
 # multi SSID with VLAN script, for ASUS AC3100(4 port model + WAN port) with Merlin
 #

diff --git a/services-start.sh b/services-start.sh
@@ -4,7 +4,7 @@
 # NVRAM reference = https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports
 # Original Script Reference = <script src="https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4.js"></script>
 # Forked Script Reference = <script src="https://gist.github.com/tubaxiaosiji/d6c969797e470aa3eadfbfd6a966aa60.js"></script>
-# This Script = 
+# This Script = <script src="https://gist.github.com/b1tman1ac/3d2cad0094e78a587f217a0720c9c11c.js"></script>
 
 # multi SSID with VLAN script, for ASUS AC3100(4 port model + WAN port) with Merlin
 #

diff --git a/services-start.sh b/services-start.sh
@@ -1,137 +1,277 @@
 #!/bin/sh
 
-# multi SSID with VLAN script, for ASUS AC66U_B1 with merlin.
-# DHCP service is configured by main router, such as ER-X or other devices,
-# Not in this router.
-#
-# setup before hand:
-#       set "router"  to "AP Mode"
-#       this will be put all ports and wireless in br0
-#       create a guest network ssid, exam: asus_guest_1
-#       enable Administration => System => Enable JFFS custom scripts and configs
-#    
-
-# some basic info of original AP mode:
+# references
+# NVRAM reference = https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports
+# Original Script Reference = <script src="https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4.js"></script>
+# Forked Script Reference = <script src="https://gist.github.com/tubaxiaosiji/d6c969797e470aa3eadfbfd6a966aa60.js"></script>
+# This Script = 
 
-# exec 'brctl show' command in shell, then you will get info like below:
+# multi SSID with VLAN script, for ASUS AC3100(4 port model + WAN port) with Merlin
+#
+# setup before hand: (if moving between firmware you are encouraged to always do a factory reset)
+#       1. set "router" to "AP Mode"
+#          - this will put all ports and wireless in br0
+#       2. create 1 guest network
+#       3. enable Administration => System => Enable JFFS custom scripts and configs
+#       4. put this script in /jffs/scripts/, name should be "services-start"
+#       5. remember `chmod a+x services-start`
+#       Note :: I strongly suggest you use static IP instead of DHCP
+#               (In my test, the "router" will pickup DHCP lease from VLAN 1 instead of VLAN 11)
+#       6. reboot
+
+# some basic info of the original AP mode:
+
+# exec 'brctl show' shell command, then you will get info like below :
 #
-#        bridge name    bridge id               STP enabled     interfaces
-#        br0            8000.1c4a54447218       no              vlan1
-#                                                               eth1
-#                                                               eth2
+#       bridge name     bridge id               STP enabled     interfaces
+#       br0             8000.2c56dc553730       no              vlan1
 #                                                               wl0.1
-#                                                               wl0.2
-#       
-#       'vlan1' is a set of Switch ports, router on ap mode, vlan1 member include switch's Port 0 1 2 3 4 5
+#                                                               wl1.1
 
-#       'br0' is network bridge device in linux, 'wl0.1' as it a member
-#       'wl0.1' is 2.4GHZ Guest network_1, 'vlan1' and 'wl0.1' they are in same network bridge(Broadcast domain), 
-#        so they can communicate with each other.
-#       'eth1' is 2.4GHZ primary network
-#       'eth2' is 5GHZ primary network
+# exec 'ip a' or 'ifconfig', mapping of interfaces from default are as follows :
+#
+#       vlan1 => Set of Switch ports, router on ap mode, vlan1 members include switch ports 0 1 2 3 4 5 7 8t as defined by Robocfg (see below)
+#       br0 => default bridge
+#       eth0 => WAN port
+#       eth1 => Default WiFi 2.4G Radio
+#       eth2 => Default WiFi 5G Radio
+#       wl0.1, wl0.2 => Guest [1|2|3] Wifi 2.4G Radio
+#       wl1.1, wl1.2 => Guest [1|2|3] Wifi 5G Radio
 
 # exec 'robocfg show' in shell can show switch ports and vlans(switch inside only, Not on linux)
 
-# Notice: all traffic is transport by eth0(swtich's Port 5) to linux(merlin system)
-
-#       Switch: enabled
-#       Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 14:82:c4:f4:40:20
+# Robocfg port mapping to physical ports (confirm yourself via 'robocfg show' command & plugging and unplugging cables in the ports)
+# Model { WAN L1 L2 L3 L4 CPU }  (Physical Ports)
+# RTN16: { 0, 4, 3, 2, 1, 8 } (Robocfg ports)
+# RTAC56U: { 4, 0, 1, 2, 3, 5 } (Robocfg ports)
+# RTN66U: { 0, 1, 2, 3, 4, 8 } (Robocfg ports)
+# RTAC66U: { 0, 1, 2, 3, 4, 8 } (Robocfg ports)
+# RTAC68U: { 0, 1, 2, 3, 4, 5 } (Robocfg ports)
+# RTAC87U: { 0, 5, 3, 2, 1, 7 } (Robocfg ports)
+# RTAC3200: { 0, 4, 3, 2, 1, 5 } (Robocfg ports)
+# RTAC3100: { 4, 3, 2, 1, 0, 8 } (Robocfg ports)
+
+# Notice: all traffic is transport by eth0(switch's Port 8) to linux(merlin system)
+
+#       # robocfg show
+#       Switch: enabled 
+#       Port 0:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
 #       Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
 #       Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
 #       Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
-#       Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
-#       Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 4c:2d:34:14:31:d8
-#       Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
-#       Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
+#       Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 50:06:ab:56:ad:2f
+#       Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
+#       Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
+#       Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 2c:56:dc:55:37:30
 #       VLANs: BCM5301x enabled mac_check mac_hash
-#       1: vlan1: 0 1 2 3 4 5t
-#       2: vlan2: 5t
+#          1: vlan1: 0 1 2 3 4 5 7 8t
+#          2: vlan2: 8u
+
+# nvram default switch config
+
+#       # nvram show | grep vlan.*hwname | sort
+#       vlan1hwname=et2
+#       vlan2hwname=et2
+
+#       # nvram show | grep port.*vlans | sort
+#       should be nothing by default
+
+#       # nvram show | grep vlan.*ports | sort
+#       vlan1ports=0 1 2 3 4 5 7 8*
+#       vlan2ports=8u
+
+#       # nvram show | egrep "(br|lan|w).*_ifname" | sort
+#       br0_ifname=br0
+#       br0_ifnames=vlan1 wl0.1 wl1.1
+#       lan_ifname=br0
+#       lan_ifnames=vlan1 eth1 eth2 wl0.1 wl1.1
+#       wan0_ifname=eth0
+#       wan0_pppoe_ifname=
+#       wan1_pppoe_ifname=
+#       wan_ifname2=
+#       wan_ifname=
+#       wan_ifnames=eth0
+#       wl0.1_ifname=wl0.1
+#       wl0.2_ifname=wl0.2
+#       wl0.3_ifname=wl0.3
+#       wl0_ifname=eth1
+#       wl1.1_ifname=wl1.1
+#       wl1.2_ifname=wl1.2
+#       wl1.3_ifname=wl1.3
+#       wl1_ifname=eth2
+#       wl_ifname=eth1
+#       wl_ifnames=eth1 eth2
 
-#       On ASUS AC66U_B1 router 'Port 0' is correspond a physical Port --> WAN(blue)
-#       On my asus AC66U_B1 router like below correspond physical Port
-#       Port 1 --> LAN 1 
-#       Port 2 --> LAN 2 
-#       Port 3 --> LAN 3 
-#       Port 4 --> LAN 4 
-#       Port 5(eth0) is directly connected to CPU, it always UP
-#     
+# This setup:
+#       WAN(Robocfg Port 4|eth0) will be trunk/tagged port
+#       CPU(Robocfg Port 8) MUST be trunk/tagged port
+
+#       Bridge 0 = br0 = vlan 1, vlan 11
+#       Bridge 1 = br1 = Guest Wifi(wl0.1, wl1.1), vlan 12
+#       Vlan 11 = LAN ports (Physical Ports 1-4), Primary Wifi(eth1, eth2) & Tagged on Wan/Eth0
+#       Vlan 12 = Tagged on Wan/Eth0
+
+# example traffic flow for Guest Wifi 2.4G to Internet
+# client_traffic --> 2.4ghz network(wl0.1)--> br1 --> linux interface vlan12 --> switch's Port 8(tagged) -->
+#  --->switch's Port 4(tagged)---->up Link Port---->INTERNET
+
+# example traffic flow for Default Wifi 5G to Internet
+# client_traffic --> 5ghz network(eth2)--> linux interface vlan1 --> br0 --> linux interface vlan11 --> switch's Port 8(tagged) -->
+#  --->switch's Port 4(tagged)---->up Link Port---->INTERNET
 
-# this setup:
-#       WAN port(Port 0) will be as trunk port, transport vlan 102 traffic and vlan 200 traffic
 
-#       'vlan 1' on Port 0 is untagged, purposes of management router
-#       'vlan 101' on Port 0 is tagged, isolation primary network and Guests_1 network will use it.
-#       'vlan 200' on Port 0 is tagged, isolation primary network and Guests_2 network will use it.
 
-# client_traffic --> 2.4ghz network(wl0.1)--> br102 --> linux interface vlan102 --> switch's Port 5(tagged) -->
-#  --->switch's Port 0(tagged)---->up Link Port
 
-#       LAN ports (Port1~4) and primary WIFI will be on vlan 1
-#       Guest network_1 will be on VLAN 102
-#       Guest network_2 will be on VLAN 200
 
 
 
 # Let's get started!
 
 #!/bin/sh
 
+# start pre-checks and log
+echo "============== START PRE-CHECKS $(date) ==================" >> /jffs/scripts/log
+echo "# ip a" >> /jffs/scripts/log
+ip a >> /jffs/scripts/log
+echo "# ip r" >> /jffs/scripts/log
+ip r >> /jffs/scripts/log
+echo "# robocfg show" >> /jffs/scripts/log
+robocfg show >> /jffs/scripts/log
+echo "# brctl show" >> /jffs/scripts/log
+brctl show >> /jffs/scripts/log
+echo "# nvram show | grep vlan.*ports | sort" >> /jffs/scripts/log
+nvram show | grep vlan.*ports | sort >> /jffs/scripts/log
+echo "# nvram show | grep port.*vlans | sort" >> /jffs/scripts/log
+nvram show | grep port.*vlans | sort >> /jffs/scripts/log
+echo "# nvram show | grep vlan.*hwname | sort " >> /jffs/scripts/log
+nvram show | grep vlan.*hwname | sort >> /jffs/scripts/log
+echo "# nvram show | egrep \"(br|lan|w).*_ifname \"| sort" >> /jffs/scripts/log
+nvram show | egrep "(br|lan|w).*_ifname" | sort >> /jffs/scripts/log
+echo "============== END PRE-CHECKS $(date) ==================" >> /jffs/scripts/log
+
+# echo $PATH > /tmp/script_debug
+
+
+
+
+
+
+# start implementation and log
+echo "============== START IMPLEMENTATION $(date) ==================" >> /jffs/scripts/log
+
 # configure vlans on switch ports
 # robocfg is Broadcom BCM5325/535x/536x/5311x switch configuration utility
+# Below is port mapping for AC3100 (4t=wan-tagged, 8t=cpu-tagged), port mapping for others is above.
+echo "# robocfg vlan 11 ports \"0 1 2 3 4t 5 7 8t\"" >> /jffs/scripts/log
+robocfg vlan 11 ports "0 1 2 3 4t 5 7 8t" >> /jffs/scripts/log
+
+echo "# robocfg vlan 12 ports \"4t 8t\"" >> /jffs/scripts/log
+robocfg vlan 12 ports "4t 8t" >> /jffs/scripts/log
 
-robocfg vlan 200 ports "0t 5t"
-robocfg vlan 102 ports "0t 5t"
+# add vlan interface on merlin at eth0[switch 8 Port]
+echo "# vconfig add eth0 11" >> /jffs/scripts/log
+vconfig add eth0 11 >> /jffs/scripts/log
 
-# add vlan interface on merlin at eth0[switch 5 Port]
-vconfig add eth0 200
-vconfig add eth0 102
+echo "# vconfig add eth0 12" >> /jffs/scripts/log
+vconfig add eth0 12 >> /jffs/scripts/log
 
 # then up it
-ifconfig vlan200 up
-ifconfig vlan102 up
+echo "# ifconfig vlan11 up" >> /jffs/scripts/log
+ifconfig vlan11 up >> /jffs/scripts/log
+
+echo "# ifconfig vlan12 up" >> /jffs/scripts/log
+ifconfig vlan12 up >> /jffs/scripts/log
+
+# remove interfaces we're gonna move to other bridges
+echo "# brctl delif br0 wl0.1" >> /jffs/scripts/log
+brctl delif br0 wl0.1 >> /jffs/scripts/log
+
+echo "# brctl delif br0 wl1.1" >> /jffs/scripts/log
+brctl delif br0 wl1.1 >> /jffs/scripts/log
+
+# reconfigure br0, private LAN
+echo "# brctl addif br0 vlan11" >> /jffs/scripts/log
+brctl addif br0 vlan11 >> /jffs/scripts/log
+
+# set up br1, guest LAN
+echo "# brctl addbr br1" >> /jffs/scripts/log
+brctl addbr br1 >> /jffs/scripts/log
+
+echo "# brctl addif br1 vlan12" >> /jffs/scripts/log
+brctl addif br1 vlan12 >> /jffs/scripts/log
+
+echo "# brctl addif br1 wl0.1" >> /jffs/scripts/log
+brctl addif br1 wl0.1 >> /jffs/scripts/log
+
+echo "# brctl addif br1 wl1.1" >> /jffs/scripts/log
+brctl addif br1 wl1.1 >> /jffs/scripts/log
 
-# remove wl0.1 from br0   wl0.1-->guest network_1   wl0.2-->guest network_2
-brctl delif br0 wl0.2
-brctl delif br0 wl0.1
+echo "# ip link set br1 up" >> /jffs/scripts/log
+ip link set br1 up >> /jffs/scripts/log
 
-# add linux network bridge
-brctl addbr br200
-brctl addbr br102
 
-# add wl0.1 and wl0.2 to linux network bridge
-brctl addif br200 wl0.2
-brctl addif br102 wl0.1
+# setting nvram values must be correct. if NOT correct, will reject wireless client request
+echo "# nvram set br0_ifname=\"br0\"" >> /jffs/scripts/log
+nvram set br0_ifname="br0" >> /jffs/scripts/log
 
-# add vlan102 interface and vlan200 interface to linux network bridge
-brctl addif br200 vlan200
-brctl addif br102 vlan102
+echo "# nvram set lan_ifname=\"br0\"" >> /jffs/scripts/log
+nvram set lan_ifname="br0" >> /jffs/scripts/log
 
-# up linux network bridge
-ifconfig br200 up
-ifconfig br102 up
+echo "# nvram set br0_ifnames=\"vlan1 eth1 eth2 vlan11\"" >> /jffs/scripts/log
+nvram set br0_ifnames="vlan1 eth1 eth2 vlan11" >> /jffs/scripts/log
 
-# setting nvram values must be correct. if NOT correct, will reject wireless client request.
-nvram set br0_ifname="br0"
-nvram set lan_ifname="br0"
-nvram set lan_ifnames="vlan1 eth1 eth2"
-nvram set br0_ifnames="vlan1 eth1 eth2"
+echo "# nvram set lan_ifnames=\"vlan1 eth1 eth2 vlan11\"" >> /jffs/scripts/log
+nvram set lan_ifnames="vlan1 eth1 eth2 vlan11" >> /jffs/scripts/log
 
 
-nvram set lan1_ifnames="vlan200 wl0.2"
-nvram set lan1_ifname="br200"
-nvram set br200_ifname="br200"
-nvram set br200_ifnames="vlan200 wl0.2"
+echo "# nvram set lan1_ifnames=\"vlan12 wl0.1 wl1.1\"" >> /jffs/scripts/log
+nvram set lan1_ifnames="vlan12 wl0.1 wl1.1" >> /jffs/scripts/log
 
-nvram set lan2_ifnames="vlan102 wl0.1"
-nvram set lan2_ifname="br102"
-nvram set br102_ifname="br102"
-nvram set br102_ifnames="vlan102 wl0.1"
+echo "# nvram set lan1_ifname=\"br1\"" >> /jffs/scripts/log
+nvram set lan1_ifname="br1" >> /jffs/scripts/log
 
-killall eapd
+echo "# nvram set br1_ifname=\"br1\"" >> /jffs/scripts/log
+nvram set br1_ifname="br1" >> /jffs/scripts/log
 
-eapd
+echo "# nvram set br1_ifnames=\"vlan12 wl0.1 wl1.1\"" >> /jffs/scripts/log
+nvram set br1_ifnames="vlan12 wl0.1 wl1.1" >> /jffs/scripts/log
+
+
+
+# we do NOT issue `nvram commit` here since it won't survive reboot anyway
+echo "# killall eapd" >> /jffs/scripts/log
+killall eapd >> /jffs/scripts/log
+
+echo "# eapd" >> /jffs/scripts/log
+eapd >> /jffs/scripts/log
 
 # Flush ebtables --> clear all rules
-ebtables -F
+echo "# ebtables -F" >> /jffs/scripts/log
+ebtables -F >> /jffs/scripts/log
+
+
+echo "============== END IMPLEMENTATION $(date) ==================" >> /jffs/scripts/log
+
+
+
 
 
+# start verifications and log
+echo "============== START VERIFICATIONS $(date) ==================" >> /jffs/scripts/log
+echo "# ip a" >> /jffs/scripts/log
+ip a >> /jffs/scripts/log
+echo "# ip r" >> /jffs/scripts/log
+ip r >> /jffs/scripts/log
+echo "# robocfg show" >> /jffs/scripts/log
+robocfg show >> /jffs/scripts/log
+echo "# brctl show" >> /jffs/scripts/log
+brctl show >> /jffs/scripts/log
+echo "# nvram show | grep vlan.*ports | sort" >> /jffs/scripts/log
+nvram show | grep vlan.*ports | sort >> /jffs/scripts/log
+echo "# nvram show | grep port.*vlans | sort" >> /jffs/scripts/log
+nvram show | grep port.*vlans | sort >> /jffs/scripts/log
+echo "# nvram show | grep vlan.*hwname | sort" >> /jffs/scripts/log
+nvram show | grep vlan.*hwname | sort >> /jffs/scripts/log
+echo "# nvram show | egrep \"(br|lan|w).*_ifname\" | sort" >> /jffs/scripts/log
+nvram show | egrep "(br|lan|w).*_ifname" | sort >> /jffs/scripts/log
+echo "============== END VERIFICATIONS $(date) ==================" >> /jffs/scripts/log
diff --git a/services-start.sh b/services-start.sh
@@ -22,7 +22,7 @@
 #                                                               wl0.1
 #                                                               wl0.2
 #       
-#       'vlan1' is a set of Switch ports, router on ap mode, vlan1 member include Port 0 1 2 3 4 5
+#       'vlan1' is a set of Switch ports, router on ap mode, vlan1 member include switch's Port 0 1 2 3 4 5
 
 #       'br0' is network bridge device in linux, 'wl0.1' as it a member
 #       'wl0.1' is 2.4GHZ Guest network_1, 'vlan1' and 'wl0.1' they are in same network bridge(Broadcast domain), 

diff --git a/services-start.sh b/services-start.sh
@@ -67,7 +67,7 @@
 #  --->switch's Port 0(tagged)---->up Link Port
 
 #       LAN ports (Port1~4) and primary WIFI will be on vlan 1
-#       Guest network_1 will be on VLAN 101
+#       Guest network_1 will be on VLAN 102
 #       Guest network_2 will be on VLAN 200
 
 

diff --git a/services-start.sh b/services-start.sh
@@ -7,9 +7,9 @@
 # setup before hand:
 #       set "router"  to "AP Mode"
 #       this will be put all ports and wireless in br0
-#       create a guest network ssid, exam: asus_guest1
+#       create a guest network ssid, exam: asus_guest_1
 #       enable Administration => System => Enable JFFS custom scripts and configs
-#       reboot ASUS AC66U_B1 router
+#    
 
 # some basic info of original AP mode:
 
@@ -20,19 +20,19 @@
 #                                                               eth1
 #                                                               eth2
 #                                                               wl0.1
+#                                                               wl0.2
 #       
 #       'vlan1' is a set of Switch ports, router on ap mode, vlan1 member include Port 0 1 2 3 4 5
 
 #       'br0' is network bridge device in linux, 'wl0.1' as it a member
-#       'wl0.1' is 2.4GHZ Guest network, 'vlan1' and 'wl0.1' they are in same network bridge(broadcast area), 
+#       'wl0.1' is 2.4GHZ Guest network_1, 'vlan1' and 'wl0.1' they are in same network bridge(Broadcast domain), 
 #        so they can communicate with each other.
 #       'eth1' is 2.4GHZ primary network
 #       'eth2' is 5GHZ primary network
 
-# robocfg is Broadcom BCM5325/535x/536x/5311x switch configuration utility
-# exec 'robocfg show' in shell can show switch ports and switch vlans
+# exec 'robocfg show' in shell can show switch ports and vlans(switch inside only, Not on linux)
 
-# Notice: all traffic is transport by eth0(swtich's Port 5) to linux(or merlin system)
+# Notice: all traffic is transport by eth0(swtich's Port 5) to linux(merlin system)
 
 #       Switch: enabled
 #       Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 14:82:c4:f4:40:20
@@ -53,54 +53,85 @@
 #       Port 2 --> LAN 2 
 #       Port 3 --> LAN 3 
 #       Port 4 --> LAN 4 
-#       Port 5 is directly connected to CPU, it always UP, and it MUST be tagged in any vlan.
+#       Port 5(eth0) is directly connected to CPU, it always UP
+#     
 
 # this setup:
-#       WAN port(Port 0) will be as trunk port, transport vlan 1 traffic and vlan 101 traffic
+#       WAN port(Port 0) will be as trunk port, transport vlan 102 traffic and vlan 200 traffic
 
-#       'vlan 1' on Port 0 is untagged, purposes of management router and as a primary network
-#       'vlan 101' on Port 0 is tagged, isolation primary network and Guests will use it, or some Iot devices to use it.
+#       'vlan 1' on Port 0 is untagged, purposes of management router
+#       'vlan 101' on Port 0 is tagged, isolation primary network and Guests_1 network will use it.
+#       'vlan 200' on Port 0 is tagged, isolation primary network and Guests_2 network will use it.
 
-# guest_traffic --> 2.4ghz network(wl0.1)--> br1 --> linux interface vlan101 --> switch's Port 5 --> switch's Port 0
+# client_traffic --> 2.4ghz network(wl0.1)--> br102 --> linux interface vlan102 --> switch's Port 5(tagged) -->
+#  --->switch's Port 0(tagged)---->up Link Port
 
 #       LAN ports (Port1~4) and primary WIFI will be on vlan 1
-#       Guest network will be on VLAN 101
+#       Guest network_1 will be on VLAN 101
+#       Guest network_2 will be on VLAN 200
 
-# create a new network bridge, named it 'br1'
 
-brctl addbr br1
 
-# remove wl0.1 interface from br0, we are gonna move to br1
+# Let's get started!
 
-brctl delif br0 wl0.1
-brctl addif br1 wl0.1
+#!/bin/sh
 
-# configure vlan 101 on Port 0 and Port 5 by robocfg
+# configure vlans on switch ports
+# robocfg is Broadcom BCM5325/535x/536x/5311x switch configuration utility
 
-robocfg vlan 101 ports "0t 5t"
+robocfg vlan 200 ports "0t 5t"
+robocfg vlan 102 ports "0t 5t"
 
-# configure linux interface vlan 101 and attach it to eth0 (Switch's Port 5)
-# the Switch can transport vlan 101 tagged traffic to linux interface vlan101
-# then linux kernel will be split vlan tag.
-# traffic from linux kernel to interface vlan101 will execute reverse action.
+# add vlan interface on merlin at eth0[switch 5 Port]
+vconfig add eth0 200
+vconfig add eth0 102
 
-vconfig add eth0 101
-ifconfig vlan101 up
+# then up it
+ifconfig vlan200 up
+ifconfig vlan102 up
 
+# remove wl0.1 from br0   wl0.1-->guest network_1   wl0.2-->guest network_2
+brctl delif br0 wl0.2
+brctl delif br0 wl0.1
 
-# add vlan 101 to br1, and up it
+# add linux network bridge
+brctl addbr br200
+brctl addbr br102
 
-brctl addif br1 vlan101
-ifconfig br1 up
+# add wl0.1 and wl0.2 to linux network bridge
+brctl addif br200 wl0.2
+brctl addif br102 wl0.1
 
-# nvram setting
+# add vlan102 interface and vlan200 interface to linux network bridge
+brctl addif br200 vlan200
+brctl addif br102 vlan102
 
-nvram set lan_ifnames="vlan1 eth1 eth2"
+# up linux network bridge
+ifconfig br200 up
+ifconfig br102 up
+
+# setting nvram values must be correct. if NOT correct, will reject wireless client request.
+nvram set br0_ifname="br0"
 nvram set lan_ifname="br0"
+nvram set lan_ifnames="vlan1 eth1 eth2"
+nvram set br0_ifnames="vlan1 eth1 eth2"
+
+
+nvram set lan1_ifnames="vlan200 wl0.2"
+nvram set lan1_ifname="br200"
+nvram set br200_ifname="br200"
+nvram set br200_ifnames="vlan200 wl0.2"
 
-nvram set lan1_ifnames="vlan101 wl0.1"
-nvram set lan1_ifname="br1"
+nvram set lan2_ifnames="vlan102 wl0.1"
+nvram set lan2_ifname="br102"
+nvram set br102_ifname="br102"
+nvram set br102_ifnames="vlan102 wl0.1"
 
 killall eapd
+
 eapd
 
+# Flush ebtables --> clear all rules
+ebtables -F
+
+
diff --git a/services-start.sh b/services-start.sh
@@ -8,8 +8,7 @@
 #       set "router"  to "AP Mode"
 #       this will be put all ports and wireless in br0
 #       create a guest network ssid, exam: asus_guest1
-#       enalbe Administration => System => Enable JFFS custom scripts and configs
-#               remember excute 'chmod a+x services-start'
+#       enable Administration => System => Enable JFFS custom scripts and configs
 #       reboot ASUS AC66U_B1 router
 
 # some basic info of original AP mode:
@@ -21,12 +20,19 @@
 #                                                               eth1
 #                                                               eth2
 #                                                               wl0.1
-#
-#       'vlan1' is a set of Switch ports
-#       At ASUS AC66U_B1 router 'Port 0' is WAN(blue)
+#       
+#       'vlan1' is a set of Switch ports, router on ap mode, vlan1 member include Port 0 1 2 3 4 5
+
+#       'br0' is network bridge device in linux, 'wl0.1' as it a member
+#       'wl0.1' is 2.4GHZ Guest network, 'vlan1' and 'wl0.1' they are in same network bridge(broadcast area), 
+#        so they can communicate with each other.
+#       'eth1' is 2.4GHZ primary network
+#       'eth2' is 5GHZ primary network
 
 # robocfg is Broadcom BCM5325/535x/536x/5311x switch configuration utility
-# exec 'robocfg show' in shell can show them
+# exec 'robocfg show' in shell can show switch ports and switch vlans
+
+# Notice: all traffic is transport by eth0(swtich's Port 5) to linux(or merlin system)
 
 #       Switch: enabled
 #       Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 14:82:c4:f4:40:20
@@ -41,19 +47,21 @@
 #       1: vlan1: 0 1 2 3 4 5t
 #       2: vlan2: 5t
 
-#       'port 5' is connected to CPU, it always UP, and it MUST be tagged.
-#
-#       'br0' is network bridge device in linux, 'wl0.1' as it a member
-#       'wl0.1' is 2.4GHZ Guest network,they are in same broadcast area, so they
-#       can communicate with each other interface.
-#       'eth1' is 2.4GHZ primary network
-#       'eth2' is 5GHZ primary network
+#       On ASUS AC66U_B1 router 'Port 0' is correspond a physical Port --> WAN(blue)
+#       On my asus AC66U_B1 router like below correspond physical Port
+#       Port 1 --> LAN 1 
+#       Port 2 --> LAN 2 
+#       Port 3 --> LAN 3 
+#       Port 4 --> LAN 4 
+#       Port 5 is directly connected to CPU, it always UP, and it MUST be tagged in any vlan.
 
 # this setup:
-#       WAN port(Port 0) will be as trunk port, transport native vlan traffic and vlan 101
-#       traffic
+#       WAN port(Port 0) will be as trunk port, transport vlan 1 traffic and vlan 101 traffic
+
+#       'vlan 1' on Port 0 is untagged, purposes of management router and as a primary network
+#       'vlan 101' on Port 0 is tagged, isolation primary network and Guests will use it, or some Iot devices to use it.
 
-#       'vlan 1' is untagged traffic, purposes of management router and as a primary network
+# guest_traffic --> 2.4ghz network(wl0.1)--> br1 --> linux interface vlan101 --> switch's Port 5 --> switch's Port 0
 
 #       LAN ports (Port1~4) and primary WIFI will be on vlan 1
 #       Guest network will be on VLAN 101
@@ -69,11 +77,12 @@ brctl addif br1 wl0.1
 
 # configure vlan 101 on Port 0 and Port 5 by robocfg
 
-
 robocfg vlan 101 ports "0t 5t"
 
-# configure linux interface vlan 101 and attach it to to eth0 (Switch's Port 5)
-# then Switch can transport vlan 101 tagged traffics to linux system
+# configure linux interface vlan 101 and attach it to eth0 (Switch's Port 5)
+# the Switch can transport vlan 101 tagged traffic to linux interface vlan101
+# then linux kernel will be split vlan tag.
+# traffic from linux kernel to interface vlan101 will execute reverse action.
 
 vconfig add eth0 101
 ifconfig vlan101 up

diff --git a/services-start.sh b/services-start.sh
@@ -72,7 +72,7 @@ brctl addif br1 wl0.1
 
 robocfg vlan 101 ports "0t 5t"
 
-# configure linux interface vlan 101 and attach it to to eth0 (Switch)
+# configure linux interface vlan 101 and attach it to to eth0 (Switch's Port 5)
 # then Switch can transport vlan 101 tagged traffics to linux system
 
 vconfig add eth0 101

diff --git a/services-start.sh b/services-start.sh
@@ -25,6 +25,7 @@
 #       'vlan1' is a set of Switch ports
 #       At ASUS AC66U_B1 router 'Port 0' is WAN(blue)
 
+# robocfg is Broadcom BCM5325/535x/536x/5311x switch configuration utility
 # exec 'robocfg show' in shell can show them
 
 #       Switch: enabled
@@ -52,7 +53,7 @@
 #       WAN port(Port 0) will be as trunk port, transport native vlan traffic and vlan 101
 #       traffic
 
-# 'vlan 1' is untagged traffic, purposes of management router and as a primary network
+#       'vlan 1' is untagged traffic, purposes of management router and as a primary network
 
 #       LAN ports (Port1~4) and primary WIFI will be on vlan 1
 #       Guest network will be on VLAN 101
@@ -67,7 +68,7 @@ brctl delif br0 wl0.1
 brctl addif br1 wl0.1
 
 # configure vlan 101 on Port 0 and Port 5 by robocfg
-# robocfg is Broadcom BCM5325/535x/536x/5311x switch configuration utility
+
 
 robocfg vlan 101 ports "0t 5t"
 

diff --git a/services-start.sh b/services-start.sh
@@ -6,7 +6,7 @@
 #
 # setup before hand:
 #       set "router"  to "AP Mode"
-#       this will be put all port s and wireless in br0
+#       this will be put all ports and wireless in br0
 #       create a guest network ssid, exam: asus_guest1
 #       enalbe Administration => System => Enable JFFS custom scripts and configs
 #               remember excute 'chmod a+x services-start'
@@ -91,7 +91,6 @@ nvram set lan_ifname="br0"
 nvram set lan1_ifnames="vlan101 wl0.1"
 nvram set lan1_ifname="br1"
 
-nvram commit
 killall eapd
 eapd
 
diff --git a/services-start.sh b/services-start.sh
@@ -1,96 +1,97 @@
 #!/bin/sh
 
-# multi SSID with VLAN script, for ASUS AC86U with merlin
+# multi SSID with VLAN script, for ASUS AC66U_B1 with merlin.
+# DHCP service is configured by main router, such as ER-X or other devices,
+# Not in this router.
 #
 # setup before hand:
-#       set "router" to "AP Mode"
-#               this will put all ports and wireless in br0
-#       create 2 guest network
-#       enable Administration => System => Enable JFFS custom scripts and configs
-#       put this script in /jffs/scripts/, name should be "services-start"
-#               remember `chmod a+x services-start`
-#       I strongly suggest you use static IP instead of DHCP
-#               In my test, the "router" will pickup DHCP lease from VLAN 1 instead of VLAN 227
-#       reboot
-# some basic info of the original AP mode:
-#       eth0 => WAN port
-#       eth1~4 => LAN port 4~1, they're reversed
-#       eth5 => WiFi 2.4G
-#       eth6 => WiFi 5G
-#       wl0.1, wl0.2 => WiFi 2.4G guest networks
+#       set "router"  to "AP Mode"
+#       this will be put all port s and wireless in br0
+#       create a guest network ssid, exam: asus_guest1
+#       enalbe Administration => System => Enable JFFS custom scripts and configs
+#               remember excute 'chmod a+x services-start'
+#       reboot ASUS AC66U_B1 router
+
+# some basic info of original AP mode:
+
+# exec 'brctl show' command in shell, then you will get info like below:
+#
+#        bridge name    bridge id               STP enabled     interfaces
+#        br0            8000.1c4a54447218       no              vlan1
+#                                                               eth1
+#                                                               eth2
+#                                                               wl0.1
+#
+#       'vlan1' is a set of Switch ports
+#       At ASUS AC66U_B1 router 'Port 0' is WAN(blue)
+
+# exec 'robocfg show' in shell can show them
+
+#       Switch: enabled
+#       Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 14:82:c4:f4:40:20
+#       Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
+#       Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
+#       Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
+#       Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
+#       Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 4c:2d:34:14:31:d8
+#       Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
+#       Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
+#       VLANs: BCM5301x enabled mac_check mac_hash
+#       1: vlan1: 0 1 2 3 4 5t
+#       2: vlan2: 5t
+
+#       'port 5' is connected to CPU, it always UP, and it MUST be tagged.
+#
+#       'br0' is network bridge device in linux, 'wl0.1' as it a member
+#       'wl0.1' is 2.4GHZ Guest network,they are in same broadcast area, so they
+#       can communicate with each other interface.
+#       'eth1' is 2.4GHZ primary network
+#       'eth2' is 5GHZ primary network
+
 # this setup:
-#       WAN port (eth0) will be repurposed as a tagged port
-#       LAN ports (eth1~4) and primary WiFi (eth5,6) will be on VLAN 227
-#       guest network 1 will be on VLAN 11
-#       guest network 2 will be on VLAN 12
-
-#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
-#ip a >> /jffs/scripts/log
-#ip r >> /jffs/scripts/log
-#brctl show >> /jffs/scripts/log
-#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log
-
-# echo $PATH > /tmp/script_debug
-
-# remove eth0 which will be reconfigured as a tagged port
-brctl delif br0 eth0
-# remove interfaces we're gonna move to other bridges
-brctl delif br0 wl0.1
-brctl delif br0 wl0.2
-
-# add vlans
-# interestingly, depending on the time passed since system boot,
-# vlan interfaces will be named eth0.1 or vlan1, I guess some udev rules got loaded.
-# so we use ip link instead of vconfig to specify a name explicitly.
-ip link add link eth0 name eth0.227 type vlan id 227
-ip link add link eth0 name eth0.11 type vlan id 11
-ip link add link eth0 name eth0.12 type vlan id 12
-ip link set eth0.227 up
-ip link set eth0.11 up
-ip link set eth0.12 up
-
-# reconfigure br0, private LAN
-brctl addif br0 eth0.227
-
-# set up br1, guest LAN
+#       WAN port(Port 0) will be as trunk port, transport native vlan traffic and vlan 101
+#       traffic
+
+# 'vlan 1' is untagged traffic, purposes of management router and as a primary network
+
+#       LAN ports (Port1~4) and primary WIFI will be on vlan 1
+#       Guest network will be on VLAN 101
+
+# create a new network bridge, named it 'br1'
+
 brctl addbr br1
-brctl addif br1 eth0.11
+
+# remove wl0.1 interface from br0, we are gonna move to br1
+
+brctl delif br0 wl0.1
 brctl addif br1 wl0.1
-ip link set br1 up
 
-# set up br2, another guest LAN for IoT devices
-brctl addbr br2
-brctl addif br2 eth0.12
-brctl addif br2 wl0.2
-ip link set br2 up
+# configure vlan 101 on Port 0 and Port 5 by robocfg
+# robocfg is Broadcom BCM5325/535x/536x/5311x switch configuration utility
 
-# seems like eapd reads config from these
-# no need to set lan_ifname since it's already there
-nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"
+robocfg vlan 101 ports "0t 5t"
 
-nvram set lan1_ifnames="wl0.1 eth0.11"
-nvram set lan1_ifname="br1"
+# configure linux interface vlan 101 and attach it to to eth0 (Switch)
+# then Switch can transport vlan 101 tagged traffics to linux system
+
+vconfig add eth0 101
+ifconfig vlan101 up
 
-nvram set lan2_ifnames="wl0.2 eth0.12"
-nvram set lan2_ifname="br2"
 
-# doesn't seem to affect anything, just make it align
-nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"
+# add vlan 101 to br1, and up it
 
-nvram set br1_ifnames="wl0.1 eth0.11"
-nvram set br1_ifname="br1"
+brctl addif br1 vlan101
+ifconfig br1 up
 
-nvram set br2_ifnames="wl0.2 eth0.12"
-nvram set br2_ifname="br2"
+# nvram setting
 
-# we do NOT issue `nvram commit` here since it won't survive reboot anyway
+nvram set lan_ifnames="vlan1 eth1 eth2"
+nvram set lan_ifname="br0"
+
+nvram set lan1_ifnames="vlan101 wl0.1"
+nvram set lan1_ifname="br1"
 
-# is there a better way to do this like `service restart eapd` ?
+nvram commit
 killall eapd
 eapd
 
-#echo "============== START 2 $(date) ==================" >> /jffs/scripts/log
-#ip a >> /jffs/scripts/log
-#ip r >> /jffs/scripts/log
-#brctl show >> /jffs/scripts/log
-#echo "============== END 2 $(date) ==================" >> /jffs/scripts/log
diff --git a/services-start.sh b/services-start.sh
@@ -0,0 +1,96 @@
+#!/bin/sh
+
+# multi SSID with VLAN script, for ASUS AC86U with merlin
+#
+# setup before hand:
+#       set "router" to "AP Mode"
+#               this will put all ports and wireless in br0
+#       create 2 guest network
+#       enable Administration => System => Enable JFFS custom scripts and configs
+#       put this script in /jffs/scripts/, name should be "services-start"
+#               remember `chmod a+x services-start`
+#       I strongly suggest you use static IP instead of DHCP
+#               In my test, the "router" will pickup DHCP lease from VLAN 1 instead of VLAN 227
+#       reboot
+# some basic info of the original AP mode:
+#       eth0 => WAN port
+#       eth1~4 => LAN port 4~1, they're reversed
+#       eth5 => WiFi 2.4G
+#       eth6 => WiFi 5G
+#       wl0.1, wl0.2 => WiFi 2.4G guest networks
+# this setup:
+#       WAN port (eth0) will be repurposed as a tagged port
+#       LAN ports (eth1~4) and primary WiFi (eth5,6) will be on VLAN 227
+#       guest network 1 will be on VLAN 11
+#       guest network 2 will be on VLAN 12
+
+#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
+#ip a >> /jffs/scripts/log
+#ip r >> /jffs/scripts/log
+#brctl show >> /jffs/scripts/log
+#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log
+
+# echo $PATH > /tmp/script_debug
+
+# remove eth0 which will be reconfigured as a tagged port
+brctl delif br0 eth0
+# remove interfaces we're gonna move to other bridges
+brctl delif br0 wl0.1
+brctl delif br0 wl0.2
+
+# add vlans
+# interestingly, depending on the time passed since system boot,
+# vlan interfaces will be named eth0.1 or vlan1, I guess some udev rules got loaded.
+# so we use ip link instead of vconfig to specify a name explicitly.
+ip link add link eth0 name eth0.227 type vlan id 227
+ip link add link eth0 name eth0.11 type vlan id 11
+ip link add link eth0 name eth0.12 type vlan id 12
+ip link set eth0.227 up
+ip link set eth0.11 up
+ip link set eth0.12 up
+
+# reconfigure br0, private LAN
+brctl addif br0 eth0.227
+
+# set up br1, guest LAN
+brctl addbr br1
+brctl addif br1 eth0.11
+brctl addif br1 wl0.1
+ip link set br1 up
+
+# set up br2, another guest LAN for IoT devices
+brctl addbr br2
+brctl addif br2 eth0.12
+brctl addif br2 wl0.2
+ip link set br2 up
+
+# seems like eapd reads config from these
+# no need to set lan_ifname since it's already there
+nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"
+
+nvram set lan1_ifnames="wl0.1 eth0.11"
+nvram set lan1_ifname="br1"
+
+nvram set lan2_ifnames="wl0.2 eth0.12"
+nvram set lan2_ifname="br2"
+
+# doesn't seem to affect anything, just make it align
+nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.227"
+
+nvram set br1_ifnames="wl0.1 eth0.11"
+nvram set br1_ifname="br1"
+
+nvram set br2_ifnames="wl0.2 eth0.12"
+nvram set br2_ifname="br2"
+
+# we do NOT issue `nvram commit` here since it won't survive reboot anyway
+
+# is there a better way to do this like `service restart eapd` ?
+killall eapd
+eapd
+
+#echo "============== START 2 $(date) ==================" >> /jffs/scripts/log
+#ip a >> /jffs/scripts/log
+#ip r >> /jffs/scripts/log
+#brctl show >> /jffs/scripts/log
+#echo "============== END 2 $(date) ==================" >> /jffs/scripts/log