Allow guest network devices to access each other

Bobcat00

Occasional Visitor
I have an RT-AX68U running 386.7_beta2. I have a main network with wired and wireless devices. I also have guest network 1 setup (with separate 2.4 and 5.0 SSIDs). I have Access Intranet set to disable. I see that the guest network devices run their own subnets.

I use the guest network for devices that don't need to access my main network. The guest network devices include iPhones, an iPad, a Macbook Pro, a Roku streaming stick, BluRay player, stereo, and my car for firmware updates.

I would like for the guest network devices to access each other, but not the main network. In particular, I want to the use iPhones' screen mirroring (which I guess uses AirPlay) to stream to the Roku stick. Is there a way to set this up? (It would be fine if only the 5 GHz guest network can do this; access doesn't need to span both guest networks.)
 

eibgrad

Part of the Furniture
You can disable the guest wireless AP isolation using the following commands ...

Code:
nvram set wl0.2_ap_isolate=0
nvram commit
reboot

... where each 2.4GHz wireless guest is either wl0.1, wl0.2, or wl0.3, and each 5GHz wireless guest is either wl1.1, wl1.2, or wl1.3.

Beware, any changes to the wireless configuration will likely undo this change and require its reapplication.
 

Bobcat00

Occasional Visitor
You can disable the guest wireless AP isolation using the following commands ...

Code:
nvram set wl0.2_ap_isolate=0
nvram commit
reboot

... where each 2.4GHz wireless guest is either wl0.1, wl0.2, or wl0.3, and each 5GHz wireless guest is either wl1.1, wl1.2, or wl1.3.

Beware, any changes to the wireless configuration will likely undo this change and require its reapplication.
And they still will not be able to access the main network?
 

eibgrad

Part of the Furniture
And they still will not be able to access the main network?

AP isolation only allows/blocks wireless to wireless. It's actually managed in the wireless driver itself. Any further access is determined by the intranet access settings, be it other wireless APs/VAPs or wired devices on the private network. So NO, they shouldn't have access to the main/private network.
 

Mike S

Regular Contributor
You can disable the guest wireless AP isolation using the following commands ...

Code:
nvram set wl0.2_ap_isolate=0
nvram commit
reboot

... where each 2.4GHz wireless guest is either wl0.1, wl0.2, or wl0.3, and each 5GHz wireless guest is either wl1.1, wl1.2, or wl1.3.

Beware, any changes to the wireless configuration will likely undo this change and require its reapplication.
How do I enter this code? I assume the printer needs to be connected to the router via WiFi, rather than hardwired? Will the printer still be accessible from the main (non-guest) network?
 

eibgrad

Part of the Furniture
How do I enter this code? I assume the printer needs to be connected to the router via WiFi, rather than hardwired? Will the printer still be accessible from the main (non-guest) network?

You specifically mentioned connecting the printers to the guest network, so I assumed that was your intent (or at least willing to consider it).

You need to connect to your router's SSH server and copy/paste that code into the window (of course, first adjusting for the proper wireless network interface). It will reboot and it should be working from that point on.
 

Mike S

Regular Contributor
You specifically mentioned connecting the printers to the guest network, so I assumed that was your intent (or at least willing to consider it).

You need to connect to your router's SSH server and copy/paste that code into the window (of course, first adjusting for the proper wireless network interface). It will reboot and it should be working from that point on.
I would like to be able to print from both the guest network and the regular network.
 

eibgrad

Part of the Furniture
I would like to be able to print from both the guest network and the regular network.

Now he tells me. LOL

That's what makes guest networks such a pain on ASUS routers. The notion of wired access by guests is an ALL or nothing option, based on the intranet setting of the guest network. More suitable firmware would make this trivial to implement via the IP firewall.
 

Mike S

Regular Contributor
You can disable the guest wireless AP isolation using the following commands ...

Code:
nvram set wl0.2_ap_isolate=0
nvram commit
reboot

... where each 2.4GHz wireless guest is either wl0.1, wl0.2, or wl0.3, and each 5GHz wireless guest is either wl1.1, wl1.2, or wl1.3.

Beware, any changes to the wireless configuration will likely undo this change and require its reapplication.
This worked like a champ. Luckily, the two printers I have in my office are both Canon C3525i copiers. These copiers permit me to connect both the hardwire LAN and WiFi interfaces at the same time. I connected my hardwire LAN interfaces to my Asus router, so that the copier is visible to all of my main LAN computers. I connected the WiFi interfaces for both copiers to my Asus Router Guest Network. with your code, all of the iPhone users connected to my guest network can now access both printers via the WiFi connections.

Thanks for the help!
 

Mike S

Regular Contributor
You can disable the guest wireless AP isolation using the following commands ...

Code:
nvram set wl0.2_ap_isolate=0
nvram commit
reboot

... where each 2.4GHz wireless guest is either wl0.1, wl0.2, or wl0.3, and each 5GHz wireless guest is either wl1.1, wl1.2, or wl1.3.

Beware, any changes to the wireless configuration will likely undo this change and require its reapplication.
I tried using this code at another site and ran into a new problem. At the first location, I created a single guest network on the 2.4g band. At my latest location, I created guest network 1 for both 2.4g and 5g bands. When I add this code to the router, I keep getting an invalid password error when connecting to either guest network band. Is there anyway I can have both bands, but eliminate the isolation between all guest network users, regardless of which band they are using?
 

eibgrad

Part of the Furniture
I tried using this code at another site and ran into a new problem. At the first location, I created a single guest network on the 2.4g band. At my latest location, I created guest network 1 for both 2.4g and 5g bands. When I add this code to the router, I keep getting an invalid password error when connecting to either guest network band. Is there anyway I can have both bands, but eliminate the isolation between all guest network users, regardless of which band they are using?

In general, you need to stay away from guest #1 as much as possible. ASUS made a mess of that guest network (2.4GHz and 5GHz) for the benefit of AiMesh, and so it's subject to numerous odd behaviors.

For example, at least on my ASUS RT-AC68U, guest #1 uses 192.168.101.0/24 and bridge br1 for 2.4GHz, and 192.168.102.0/24 and bridge br2 for 5GHz. Because of AiMesh, the router can't support the disabling of intranet access when those guest networks are active, so it generates an invalid password error when you attempt to connect. Of course, it's a perfectly valid username/password, but that's just the router's crude way of preventing the user from configuring a situation of isolation it can NOT enforce.

As I say all the time, just stay away from guest #1. Use either guest #2 or #3, which remain unaffected by any of these AiMesh hacks by ASUS. They exhibit much more reliable and predictable behavior.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top