I'm trying to set up three isolated networks (VLANs) on an ASUS RT-AC86U running ASUSWRT-Merlin 386.10_0:
br0 (Home) – default LAN
br1 (Guest) – for guests, works fine
br2 (IoT) – this one is problematic
My goal:
Each VLAN should have:
A separate subnet and DHCP range
Internet access
Isolation (IoT → no access to br0/home or br1/guest)
What I’ve done:
Activated second guest network in GUI and called IoT then also done.
- Created the bridge and interface:
brctl addbr br2
brctl addif br2 wl0.2
ifconfig br2 192.168.20.1 netmask 255.255.255.0 up
- Configured dnsmasq for br2 (in /jffs/configs/dnsmasq.conf.add):
interface=br2
dhcp-range=192.168.20.100,192.168.20.200,255.255.255.0,12h
dhcp-option=br2,3,192.168.20.1
dhcp-option=br2,6,1.1.1.1,8.8.8.8
- Enabled firewall rules (in /jffs/scripts/firewall-start):
#!/bin/sh
iptables -I INPUT -i br2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 68 -j ACCEPT
Made the script executable.
Verified rules are inserted manually and persist when run.
Interface br2 shows up fine in iptables after manual run.
- Verified bridge membership:
# brctl show
br2 has wl0.2 attached
- Checked interface mode (problem):
wl -i wl0.2 status
Mode: Managed
Despite setting:
nvram set wl0.2_mode=ap
nvram commit
and running:
wl -i wl0.2 down
wl -i wl0.2 ap 1
wl -i wl0.2 up
…the mode stays as Managed.
Problem:
wl0.2 refuses to stay in AP mode — it always returns to Managed.
No DHCP traffic seen on wl0.2 (tcpdump -i wl0.2 port 67 or 68 shows nothing).
Clients can't connect or get IPs on IoT SSID.
Questions:
What’s forcing wl0.2 to stay in Managed mode?
How can I persistently set it to AP mode for VLAN use?
Is there a better way to isolate wireless SSIDs into VLANs on ASUSWRT-Merlin?
I also have RT-AX86U PRO (That I could use if it has better support)
