RT-AX88U Pro - Blocked Internet Access on Guest Network Not Working!

[routerNewb87]

I setup a Guest Network and linked it to a network port for a Blue Iris Camera setup. All that's here is a server, wired POE cameras, and wireless cameras. I want the server to have full internet access but all other devices blocked as I don't want the cameras to have the ability to "phone home".

I'm just trying to use out of the box functionality of the Pro router. I found I can't disable clients from accessing the internet using the web interface but I can using the Asus iPhone App, which I did.

However, despite the router reporting internet access is blocked the cameras are still connected to the internet. I've verified this through their respective camera apps as they shouldn't be able to connect if Internet is blocked. I've rebooted the router multiple times as well.

Anyone have any idea if I'm missing another setting or is this standard behavior?

I'm disappointed and just hoping it's something I missed but don't like the fact the system is reporting no internet to these devices but they have it!

Thanks

 

[Logi]

That firmware is extremely buggy, I have switched to Merlin on my 88 Pro, accepting that I am losing some of the Pro functionality in the meantime

 

[Tech9]

However, despite the router reporting internet access is blocked the cameras are still connected to the internet.

I'm assuming you have Runner and Flow Cache enabled, the NAT acceleration. Try rebooting the router and test again.

 

[routerNewb87]

I don't have those

I'm assuming you have Runner and Flow Cache enabled, the NAT acceleration. Try rebooting the router and test again.

I don't. I'm using Stock firmware, wish I went to Merlin at the start or just another product but I have everything working the way I need it... except for this mindblowing item that I can't simply block internet access for some devices.

Is there a way to turn it on easily w/o going to Merlin? I had another thought, could I just use the firewall -> network services filter -> deny list to add additional rules to deny these IPs from going outside. However, that's not working either!

 

[Tech9]

I don't. I'm using Stock firmware

Runner and Flow Cache is Broadcom's NAT acceleration for ARMv8 NHD hardware. Nothing Asuswrt-Merlin related. Internet access blocking may have issues with both enabled (default). When you block Internet to devices the change may not apply until you reboot the router. Firmware bug in 3.0.0.6 is also quite possible.

 

[routerNewb87]

Runner and Flow Cache is Broadcom's NAT acceleration for ARMv8 NHD hardware. Nothing Asuswrt-Merlin related. Internet access blocking may have issues with both enabled (default). When you block Internet to devices the change may not apply until you reboot the router. Firmware bug in 3.0.0.6 is also quite possible.

 

[routerNewb87]

Ran through and disabled both. Rebooted for probably the 12th time. Still the same behavior. For a $250 product you'd think basic functionality would work, bunch of hot garbage.

 

[Justinh]

I found I can't disable clients from accessing the internet using the web interface

That's odd. My old AC68U allows me to disable Internet access via the GUI

 

[Tech9]

My old AC68U...

This old AC68U is different hardware, runs different firmware. No directs futures and/or bugs comparison. It has own bugs.

Release - ASUS RT-AC68U Firmware version 3.0.0.4.386_51668 (2023/11/30 )

I'm checking something on this firmware and found Firewall, Network Services doesn't save changes. This was a bug in 388 firmware for NHD models for quite some time, but fixed now. This thing here: No one noticed it's not working? The router is RT-AC1900P, runs the same firmware.

www.snbforums.com

For a $250 product you'd think basic functionality would work

New product - user as beta tester. Common thing on the consumer market. Do you want to test some of the new Wi-Fi 7 products?

 

[routerNewb87]

That's odd. My old AC68U allows me to disable Internet access via the GUI
View attachment 56399

Mine let's me do this for the main WiFi and LAN. However, for Guest Networks (also how VLANs) are setup the option to Block Internet and Bind MAC to IP are not present in the web app but he option exists in the iPhone app. Seems the VLAN/Guest Network implementation in the Pro version is pretty bad.

 

[PunchCardBoss]

I'm disappointed and just hoping it's something I missed but don't like the fact the system is reporting no internet to these devices but they have it!

@routerNewb87. You are missing something. The "Guest Network", from my testing, is designed for guest internet access.

In Guest Network Pro, there are several different network choices.

• Guest Portal
• Guest Network
• Kid's Network
• IoT Network
• VPN Network
• Custom Network

I have explored a few of them when the 3.0.0.6 firmware was first introduced. At that time, it was apparent that each type of network has specific use cases with hard coded defaults.

I have decided to use 3 "Custom" networks for all my VLAN use-cases with the exception of "Guest Network" to allow guests access the internet.

If you want to restrict your camera to internet access, I suggest setting up a "Custom" network. Then, go to the Network Map that displays on the right column and select your camera and choosing "Block Internet Access".

It has been a while and a FW update ago since I tested this function. At that time, I believe it worked. I have 5 cameras and one monitoring station with restricted internet access. The last time I checked, my cameras were not able to connect to the internet.

Note that if your camera is connected to a NVR through your router and your NVR is permitted to access the internet, that camera may be able to access the internet through your NVR even when you restrict internet access to that camera at the router level.

However, if the above method does not work, you can always restrict internet access to an entire "Custom" network subnet by assigning a phantom DNS setting.

If your camera is on your gateway subnet with a specific IP, then you can block internet access with the Firewall>Network Services Filter.

I'm not saying that 3.0.0.6 FW is perfect. There does seem to be bugs and some rough edges. But I think using "Guest Network" to restrict a client's internet access is the wrong approach.

 

[routerNewb87]

Thanks, so not sure where things went haywire but after messing around with the unit for a quite a bit it got so unstable I ultimately had to do a full factory reset.

I started all over, I tried custom network. It also does not give me the option to block internet access. Seems like that's the behavior of anything that's not on the main network, at least on this firmware/this device.



I don't think I can block the whole subnet as there is one server that needs to be able to get out within in the subnet. I do feel the network filter should work though but at least what I'm trying is not working for me.

 

[PunchCardBoss]

I tried custom network. It also does not give me the option to block internet access.

Give this a try. This "Block Internet Access" method seems to work for all IPs on VLAN subnets.

For your Network Services Filter, you need to block both port 80 and 443 in the "port range" column directly to the right of the "Destination IP" column. Make these two entries for TCP. Then make two more of the same entry for UDP. Your entry in "Source IP" fields are correct to block comm packets moving from that device IP into the router LAN (whether ethernet of WiFi) and outbound through the router WAN.

LAN Source => Router => Destination WAN.

The Network Services Filter only works for comm packets moving in this direction. It does not apply to WAN => LAN or LAN => LAN.

NOTE: my earlier tests in the previous 3.0.0.6 FW version showed that the Network Services Filter only worked for Source IPs that are part of the gateway subnet (not VLANs). This may have changed in the current FW version.

 

[routerNewb87]

Give this a try. This "Block Internet Access" method seems to work for all IPs on VLAN subnets.


For your Network Services Filter, you need to block both port 80 and 443 in the "port range" column directly to the right of the "Destination IP" column. Make these two entries for TCP. Then make two more of the same entry for UDP. Your entry in "Source IP" fields are correct to block comm packets moving from that device IP into the router LAN (whether ethernet of WiFi) and outbound through the router WAN.

LAN Source => Router => Destination WAN.

The Network Services Filter only works for comm packets moving in this direction. It does not apply to WAN => LAN or LAN => LAN.

NOTE: my earlier tests in the previous 3.0.0.6 FW version showed that the Network Services Filter only worked for Source IPs that are part of the gateway subnet (not VLANs). This may have changed in the current FW version.

Thanks, PunchCardBoss but no luck. I only get the option to block, time schedule, and do IP Address binding on devices connected to the gateway subnet. Also, verified what you did that the Network Services Filter also only works for the gateway subnet so none of the commands have no effect. Very disappointed as the main reason I got this thing was for the VLAN capabilities.

 

[PunchCardBoss]

I only get the option to block, time schedule, and do IP Address binding on devices connected to the gateway subnet

Confirmed. I just checked as well. I had thought it worked for VLAN subnets but you are right. It doesn't. The option to "Block internet access" only works on devices connected to the gateway subnet.

I do agree. This is very disappointing. However, in my case, all devices on my VLAN(s) will either need to be blocked or have internet access. I can still block all my devices on a single VLAN by pointing the VLAN to a phantom (custom) DNS.

I urge you to write this up and send it to ASUS using the reporting function in the router's GUI. I will do the same. In theory, the louder we squeak, the more attention we will receive.

 

[routerNewb87]

Confirmed. I just checked as well. I had thought it worked for VLAN subnets but you are right. It doesn't. The option to "Block internet access" only works on devices connected to the gateway subnet.

I do agree. This is very disappointing. However, in my case, all devices on my VLAN(s) will either need to be blocked or have internet access. I can still block all my devices on a single VLAN by pointing the VLAN to a phantom (custom) DNS.

I urge you to write this up and send it to ASUS using the reporting function in the router's GUI. I will do the same. In theory, the louder we squeak, the more attention we will receive.

 

[mocamaster]

I am having the same issue on my RT-AX88U. I am trying to block internet access on a specific device on my Guest network. Even though I toggled blocked internet ON the device can still connect and access the internet. This is so frustrating.

 

[routerNewb87]

Very frustrating! I had tried parental controls also and those didn’t work either. I ended up hooking up my old WiFi router to this new one and using it physically like a vlan. Pretty sad I had to do that as that was the reason I got this 88 Pro was to give me some basic vlan capabilities.