I believe you can, and I bought the RT-AX86U Pro for the same purpose. But the UI is very confusing. As you said, if you create a non-wifi VLAN from LAN -> VLAN -> Profile, you cannot connect it to an ethernet port which means the VLAN is unusable.
I think the solution is to create a “Guest network pro” and then disable wireless for that VLAN/Guest network pro. Select the Guest network and go to Wifi and AiMesh settings and select Wifi band “none”.
Hmm. I can try that. If I do that - basically making it a wired-only Guest-Network-Pro (presumably) - how do I make it specific to just one of the ethernet ports? I'm going to presume that I would accomplish this by selecting that Guest-Network-Pro on the LAN>VLAN>VLAN page, where I would then find it when I pull down the SDN Profile selection for the desired ethernet port!
If you happen to give that a try, I'd be very interested to hear the result of your attempt. I will give it a try as soon as I can. Thank you for the suggestion. It's a lead for me to follow...
This appears to be working nicely! Now I'll just have to try to make this traffic use the VPN reliably. That's the next step after I operate with this as-is for a little bit to verify that it's working reliably.
One tip:
Seems to be a little quirky when making changes to the VLAN ID and/or the IP address assigned automatically by the router for that network. What I found to make the router work with changes to those settings is that it's helpful to first de-associate the port from that VLAN (by setting the SDN Profile back to Default temporarily) on the LAN>VLAN>VLAN page. Then make & save your changes and then re-associate the desired port to the VLAN & save changes. I didn't try different iterations/ways to get this to work, but that did. There may, of course, be other way(s).
See my image of this settings-page in post #79
Which router do you use? Can you explain what iPhone tether means? Deciding if I want to keep an AX86S or AX86U.. both were purchased at a good price. IPhone tether basically means you can plug your iPhone to USB and broadcast Phone's Hotspot data to entire home/location. Worked for...
www.snbforums.com
Thank you for this tip! This is really cool and what I have been looking for in a consumer-grade router.
The process to make this work is entirely too opaque/mysterious, etc. imo, so I plan to send feedback to Asus.
imo, accomplishing this should be far more straightforward in the UI, or they need to spell this out in a good FAQ/tutorial on their site to assist users.
Reading about Guest Network Pro, my first thought is, does each vlan/wireless guest network have its own WLAN broadcast/signal? Or, are these guest vlans implemented within the main WLAN broadcast signal? Perhaps a dumb question, but I'm wondering if GNPro will lead to more guest WLAN signals being broadcast around me (more radio congestion).
Another concern I would like to solve is being able to lock down Ethernet port/LAN access on nodes in less physically secure locations. Maybe the coming vlans will allow this... eventually(?)
This appears to be working nicely! Now I'll just have to try to make this traffic use the VPN reliably. That's the next step after I operate with this as-is for a little bit to verify that it's working reliably.
One tip:
Seems to be a little quirky when making changes to the VLAN ID and/or the IP address assigned automatically by the router for that network. What I found to make the router work with changes to those settings is that it's helpful to first de-associate the port from that VLAN (by setting the SDN Profile back to Default temporarily) on the LAN>VLAN>VLAN page. Then make & save your changes and then re-associate the desired port to the VLAN & save changes. I didn't try different iterations/ways to get this to work, but that did. There may, of course, be other way(s).
See my image of this settings-page in post #79
Which router do you use? Can you explain what iPhone tether means? Deciding if I want to keep an AX86S or AX86U.. both were purchased at a good price. IPhone tether basically means you can plug your iPhone to USB and broadcast Phone's Hotspot data to entire home/location. Worked for...
www.snbforums.com
Thank you for this tip! This is really cool and what I have been looking for in a consumer-grade router.
The process to make this work is entirely too opaque/mysterious, etc. imo, so I plan to send feedback to Asus.
imo, accomplishing this should be far more straightforward in the UI, or they need to spell this out in a good FAQ/tutorial on their site to assist users.
Thanks for the update! I have not yet tested a wired VLAN myself (only wifi).
I hope that Asus will make the configuration more straight-forward in the final firmware.
The beta has been out for more than two months without any updates. Does anyone know what’s the usual beta testing cycle for Asus?
Another concern I would like to solve is being able to lock down Ethernet port/LAN access on nodes in less physically secure locations. Maybe the coming vlans will allow this... eventually(?)
Thanks for the update! I have not yet tested a wired VLAN myself (only wifi).
I hope that Asus will make the configuration more straight-forward in the final firmware.
Agreed. There is definitely room for improvement in the UI to make things/interactions among settings more clear. However, I found your suggestions about how to accomplish this to be straightforward - and they do work.
One thing I have since noted is that I cannot assign IP reservations for devices on a created VLAN (probably an obvious thing to some of you). Those settings can only be made for the LAN. This isn't a deal-breaker. I'm happy enough to let DHCP do its job but sometimes it just makes things neater so I wouldn't mind seeing that capability added.
Reading about Guest Network Pro, my first thought is, does each vlan/wireless guest network have its own WLAN broadcast/signal? Or, are these guest vlans implemented within the main WLAN broadcast signal? Perhaps a dumb question, but I'm wondering if GNPro will lead to more guest WLAN signals being broadcast around me (more radio congestion).
Another concern I would like to solve is being able to lock down Ethernet port/LAN access on nodes in less physically secure locations. Maybe the coming vlans will allow this... eventually(?)
In my application, I want all devices connected to the router's ethernet port #4 to be on the VLAN so I assigned "Port4Net" as the SSID (just to help me remember in the future). I saw that SSID broadcast until I disabled wireless for that VLAN. Fortunately this can be done. The last thing I wanted was another SSID in the airwaves that I wasn't going to use.
After typing this, I'm now wondering if I addressed your question.
In my application, I want all devices connected to the router's ethernet port #4 to be on the VLAN so I assigned "Port4Net" as the SSID (just to help me remember in the future). I saw that SSID broadcast until I disabled wireless for that VLAN. Fortunately this can be done. The last thing I wanted was another SSID in the airwaves that I wasn't going to use.
After typing this, I'm now wondering if I addressed your question.
Background
I've been running this beta firmware on my router* for a while now, incrementing my way closer towards the configuration I want. I have set up a couple of guest networks: one was set up before installing this beta firmware via the 'normal' guest network feature that many of us using Asus routers & stock firmware will be very familiar with. Upon implementing the beta firmware, this was assigned VLAN ID 69. Super!
The second guest network was set up using the 'Guest Network Pro' feature. I have disabled the radio for this network; it is wired-only. The intent is for this to (eventually) serve as a always-VPNed connection for wired devices that I don't allow on my LAN. I have not yet applied the VPN setting, however this has been running as a separate network for some weeks now and appears to be working fine. This 2nd guest network sports the VLAN ID 72. No problemo!
Looking at a couple of the UI images for the GN-Pro features, a number of things stand out...
Fig1: Guest networks set up on the router.
Fig2: Client list showing devices on both 'guest' networks. (The 'Laptop' device is on the LAN, not on the VLANs.)
Fig3: Assigning a Wifi band (or not) to the VLAN. For VLAN 72, the "None" selection is checked.
In Fig1, you can see both networks, their VLAN IDs, and the correct assignments wrt their types. That is to say that VLAN 69 is a Wifi-only network and VLAN 72 is a wired-only network. Whether this remains as I approach my final, desired configuration isn't relevant at the moment. Two networks. Great!
Observations
a) In Fig1 you can see that both VLANs report no devices connected. The client list shown at the right of Fig 1, reporting no devices is for the blue-highlighted (at left) network- VLAN 72. No devices? Why?
In Fig2 you can clearly see the devices reported on each VLAN. Fig 2 is correct; these devices are indeed connected and in use on the two networks.
b) In Fig 2 you can see that the device on VLAN 69 is reported as a wired connection. Why? That's simply not the case. (Thinking aloud) Is it possible that, while you can toggle the radio for each VLAN (the "WiFi Band" setting shown in Fig3), you can't effectively do so with the wired connection? (although that still wouldn't explain why it's reported incorrectly as a wired connection, and assigning the VLAN to a LAN port is done elewhere.**)
Is it possible that this is because it was set up as a guest network, not done using the Guest-Network-Pro feature? I may have to experiment with that.
The devices for VLAN 72 are all shown as wired, as they indeed are.
c) Devices on both VLANs are reported as having static IP assignments. Why? They're DHCP clients. In fact, I have no way to assign IP reservations on the VLANs in the current UI. I would like that ability!
AX5700 Dual Band WiFi 6 Gaming Router, Mobile Game Mode, AiProtection Pro, WPA3, Parental Control, Mesh WiFi support, 2.5G Port, Gaming Port, Adaptive QoS, Port Forwarding
www.asus.com
Code:
ASUS RT-AX86U Pro Firmware version 9.0.0.6.102.3506
Version 9.0.0.6.102.3506 Beta Version 54.47 MB
Be noted: This is an early stage beta, there might be bugs. This version can be downgraded via web GUI only.
New Features:
1. Add Guest Network Pro:
• Kids WiFi: Create a network for kids that blocks access to adult content and has a schedule to control when the network is available.
• VPN WiFi: Create a VPN network that connects to 3rd party VPN services or with ASUS site to site VPN(https://www.asus.com/support/FAQ/1048281/) to encrypts your internet connection and hides your IP address to protect your online activities from being tracked or monitored.
• IoT WiFi : Create an IoT (Internet of Things) network that blocks malicious traffic* and only allows 2.4GHz devices to connect.
• Guest WiFi: Create a guest network with a WiFi schedule and access rights to control when and how guests can use the network.
2. Add VLAN in LAN settings.
3. Add Auto USB WAN backup, while primary WAN is down, plug USB phone/dongle will auto enable backup internet, no setup is required.
4. Add iPhone USB tethering. (Please make sure hotspot on iPhone is enabled).
5. Add Multi-services WAN, create multiple profiles on a single WAN interface.
Hey, I've been seeing more and more references to guest network Pro. I don't own an RT-AX86U Pro, however, I was curious if this feature will be coming to the standard RT-AX86U, if it's not there already.
Thanks. The iOT preset looks like it might be useful to smart homes, so I wanted to try it if it's going to be available to my router at some point.
So I got my router AX86U pro a few days ago, started with setting it up. Then I came across this beta and was the guest network pro functionality and decided to give it a go.
Especially given the fact that I was looking into how to approach setting up my IoT stuff separate from my main network.
However, I now used the IoT Network for the Guest Network pro, in order to separate my IoT stuff. But it seems as though I can still access things on my main wi-fi network even with that enabled.
One of my main aims was also related to security, because I generally have fairly 'trustworthy' equipment, or at least nothing I explicitly do not trust. However the obvious fear is always that some exploit will cause a whole network to be infected and spreading etc. etc. (doom-thinking I know). But especially also because I do expect to steadily increase the amount of IoT devices in the future.
So I was under the impression that with this whole VLAN stuff it would be possible to separate them. Any advice? Also, what is the best way to test this that they are separated anyway? I just tried to connect to my raspberry while connected to my IoT Network Wi-Fi (my raspberry is currently still not on my IoT network, which is a separate fact which I might change in the future) which worked, so I figured if that works, basically there is no isolation.
I figured that enabling AP Isolation would cause my IoT devices to not see one another, which, given that I also use google home, might make it not work to control my IoT devices (because when I had AP isolation on, the google home app immediately complained).
I am running the beta firmware on my RT-AX86U-Pro, but I have not tried working with the IoT Guest Network Pro settings, so I can't say what exactly this distinction is (compared to the guest network selection in the Guest Network-Pro (GN-P) interface. I haven't found documentation explaining these different selections.
I'm afraid that your questions are a little unclear for me to answer. For example:
I'm not sure what you mean here. Are you using a computer (device) on your guest network and can still access your LAN?
When you set up a GN-P, you should see the different VLAN IDs associated with each, on the GN-P page. In fact, you can change them to suit. Additionally, you can look at your client list* and this should show assigned IPs for all devices on your LAN and on your VLAN(s). Give the client list a few moments to update; it's not instant. This should give you some indication that things are working properly.
I was going to add to my observations (post #90 in this thread) but I'll mention it here briefly. It appears that the RT-AX86U-Pro with this beta firmware does not handle more than one VLAN properly. It tends to mess up the VLAN tagging, assigning IDs incorrectly even to the point of being impossible (if tagging were working properly). What do I mean by this? It became clear to me when creating a VLAN for one wired port on the router (no WiFi, just an isolated network on one ethernet port). It would assign that VLAN ID to devices on the other VLAN (a WiFi network). Not being plugged in to the wired port and still be communicating on the network shouldn't be possible. Something's up there. Full disclosure: I haven't tried every iteration of this feature. It's amazing how much time flies by waiting for the (sometimes quite long) settings changes to be applied. It takes a great deal of time to fiddle!
That said, I have one VLAN on one wired port and it is working properly. From a computer on my LAN, I cannot reach a monitoring device on the wired VLAN by typing its assigned IP address into a web browser. (It has a web server so I can normally access its config interface and KNOW that I am connected to it.) If I plug my computer into the VLAN, I can successfully access this monitoring device's config interface by typing its assigned IP address into a web browser.
I also stumbled across a trick** to having my WiFi VLAN working properly (2 VLANs!), tagging and isolating properly. I'm pretty happy about the feature. I have been waiting for this to be included in a consumer-level router for a long time. YES it needs work but I hope that Asus will successfully incorporate this feature set in the future.
* Caution: this is the client list on your Network Map pageNOT the one on the GN-P page. I have found the latter to be very unreliable in reporting client connections.
** Not quick or pretty, mind you. (This was to be the subject of my updated 'observations' post, in the works.)
Essentially yes, minus that I have have in reality no LAN-connected devices aside from one extender, so I am solely relying on wireless for everything (because it is too much work to put in for a place I am not sure we will necessarily stay for a long time).
So I used my phone on my "IoT" guest network and I could still access a raspberry pi interface while the raspberry Pi was on the regular (non-guest) wifi network.
But it seems to be that we just have to play the waiting game here.
Sidenote: Is there an official feedback route actually for Beta firmware?
Essentially yes, minus that I have have in reality no LAN-connected devices aside from one extender, so I am solely relying on wireless for everything (because it is too much work to put in for a place I am not sure we will necessarily stay for a long time).
So I used my phone on my "IoT" guest network and I could still access a raspberry pi interface while the raspberry Pi was on the regular (non-guest) wifi network.
But it seems to be that we just have to play the waiting game here.
Sidenote: Is there an official feedback route actually for Beta firmware?
Interesting. If it were not so time consuming, I might try the IoT guest network pro to see if I could replicate what you're experiencing. Connected to the WiFi guest network, you should not be able to access a device on your LAN. You could make sure that - on the GN-P config page - the Access Intranet slider is indeed OFF. Just being thorough
Perhaps another suggestion (to make it work for you, not to say this error is ok) would be to delete the IoT GN-P and create just a Guest Network using the GN-P interface.
Feedback? Yes there is! Just go to Advanced Settings>Administration and find the "feedback" tab. I have submitted reports of my experiences a couple of times. In order to help ensure a good outcome (as I mentioned, I'd really like to see these VLAN features become release, not just beta), I'd encourage you to send your experience. Your submission will include info that includes the fact that it's the beta firmware.
Hey, I've been seeing more and more references to guest network Pro. I don't own an RT-AX86U Pro, however, I was curious if this feature will be coming to the standard RT-AX86U, if it's not there already.
Thanks. The iOT preset looks like it might be useful to smart homes, so I wanted to try it if it's going to be available to my router at some point.
Not mentioned so far on Asus' site showing models that will support the feature set. Wasn't there also a firmware version that the standard AX86U won't get that means it's a "no?"
Not mentioned so far on Asus' site showing models that will support the feature set. Wasn't there also a firmware version that the standard AX86U won't get that means it's a "no?"
I've seen no info either way, that's why I asked anyway, another user answered my question on a different thread that put things into a better understanding of what the feature is, and i may not need it after all.
Interesting. If it were not so time consuming, I might try the IoT guest network pro to see if I could replicate what you're experiencing. Connected to the WiFi guest network, you should not be able to access a device on your LAN. You could make sure that - on the GN-P config page - the Access Intranet slider is indeed OFF. Just being thorough
Perhaps another suggestion (to make it work for you, not to say this error is ok) would be to delete the IoT GN-P and create just a Guest Network using the GN-P interface.
Feedback? Yes there is! Just go to Advanced Settings>Administration and find the "feedback" tab. I have submitted reports of my experiences a couple of times. In order to help ensure a good outcome (as I mentioned, I'd really like to see these VLAN features become release, not just beta), I'd encourage you to send your experience. Your submission will include info that includes the fact that it's the beta firmware.
Well damn! I should have been more thorough indeed. The access intranet property is not available in the IoT network GN-P, because indeed when I create a regular GN-P with the access intranet set to off, it does seem to work. As in, my phone when connected to it cannot access the raspberry pi on the non-guest network.
I guest I will send my feedback to Asus now, because it seems pretty straight forward to have that possibility for IoT network as well.
Well damn! I should have been more thorough indeed. The access intranet property is not available in the IoT network GN-P, because indeed when I create a regular GN-P with the access intranet set to off, it does seem to work. As in, my phone when connected to it cannot access the raspberry pi on the non-guest network.
I guest I will send my feedback to Asus now, because it seems pretty straight forward to have that possibility for IoT network as well.
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.