Asus AIMesh Guest network issues

[KidJoe]

As I said, while I could potentially bypass the basement switch by jumpering the patch panel from the GT-AX6000 to the RT-AX88U for testing, even if that works, I will not be able to bypass the play room switch the TUF-AX5400 is connected to. Unfortunately the roof design above my son's room (2 joining slopes) makes it near impossible to get up and into the crawl space above his room to fish a new wire down his wall.

See also Post 138.

So to reply to myself... I GOT IT WORKING, at least for 2.4Ghz Guest networks as I haven't enabled 5ghz guest yet. With Guest 1 network enabled and Intranet Access = Disabled, devices are able to connect to the guest network on the AiMesh Nodes, and are able to access the internet. My home network is 192.168.0.x, on the 2.4ghz Guest network, the IP's were 192.168.101.x. And the Asus Router app on my phone, properly listed my device on the 2.4ghz Guest network, on the router/node I was connected to.

Short Version: Since I can't run wires directly between the GT-AX6000 AiMesh Router and the RT-AX88U and TUF-AX5400 AiMesh Nodes quickly and easily, the solution it involved replacing the unmanaged switches in between them with managed switches, creating VLAN 501 and 502 in each of the managed switches, and set the ports the GT-AX600, RT-AX88U and TUF-AX5400 were connected to as TAGGED for those Vlans.

Steps I took:

As my first step, I was able to remove basement switch from between my GT-AX6000 (AI Mesh router) and RT-AX88U (AI Mesh Node) by jumpering from patch panel port to patch panel port, so basically having a wire directly between the two. With this setup I was able to connect a device to the guest 1 network on the RT-AX88U (with Intranet Access = Disabled) and access the internet only.

Next step involved what I read about VLANs for the guest networks and how unmanaged switches can sometimes not pass through VLAN tags/info.

My Basement switch is a Dell X1026p switch which I had been running in Unmanaged Mode. I hadn't been doing anything fancy, so unmanaged was fine. To test the VlAN idea, I switched it to Managed. Using its menus, and going under Network Administration -> Vlan -> Standard Vlan, Vlan 1 was created an all ports set as "Untagged" for it. I created a 501 and 502 Vlan, and set the ports connecting to my patch panel corresponding to the connections for the GT-AX6000, RT-AX88U and Playroom (ports 22, 23, and 24) as "TAGGED" for Vlan 501 and 502. With that setup, I was able to connect a device to the guest network (intranet access=disabled) on the RT-AX88U, get an IP an connect to the internet only.

Finally, the switch in the play room was an unmanaged 8 port D-Link so I picked up a "Netgear GS108Ev3 - 8-Port Gigabit Ethernet Smart Managed Plus Switch" at the local best buy because it was on sale for nearly 50% off, making it relatively cheap and an easy solution. On the Netgear, I used the menus to go Vlan -> 802.1Q -> VLan Configuration, enable it, again Vlan 1 was already created and ports 1 through 8 were members. Next I created VLAN 501 and 502, then on the Vlan Membership tab assigned Ports 1 (connected to the Dell X1026 in the basement) and 2 (connected to the TUF-AX5400 in Son's room) as Tagged on Vlan 501 and 502. With that finally setup, I was able to connect a device to the guest network (intranet access=disabled) on the TUF-AX5400 in my Son's room, get an IP an connect to the internet only.

 

[ovipopescu1]

See also Post 138.

So to reply to myself... I GOT IT WORKING, at least for 2.4Ghz Guest networks as I haven't enabled 5ghz guest yet. With Guest 1 network enabled and Intranet Access = Disabled, devices are able to connect to the guest network on the AiMesh Nodes, and are able to access the internet. My home network is 192.168.0.x, on the 2.4ghz Guest network, the IP's were 192.168.101.x. And the Asus Router app on my phone, properly listed my device on the 2.4ghz Guest network, on the router/node I was connected to.

Short Version: Since I can't run wires directly between the GT-AX6000 AiMesh Router and the RT-AX88U and TUF-AX5400 AiMesh Nodes quickly and easily, the solution it involved replacing the unmanaged switches in between them with managed switches, creating VLAN 501 and 502 in each of the managed switches, and set the ports the GT-AX600, RT-AX88U and TUF-AX5400 were connected to as TAGGED for those Vlans.

Steps I took:

As my first step, I was able to remove basement switch from between my GT-AX6000 (AI Mesh router) and RT-AX88U (AI Mesh Node) by jumpering from patch panel port to patch panel port, so basically having a wire directly between the two. With this setup I was able to connect a device to the guest 1 network on the RT-AX88U (with Intranet Access = Disabled) and access the internet only.

Next step involved what I read about VLANs for the guest networks and how unmanaged switches can sometimes not pass through VLAN tags/info.

My Basement switch is a Dell X1026p switch which I had been running in Unmanaged Mode. I hadn't been doing anything fancy, so unmanaged was fine. To test the VlAN idea, I switched it to Managed. Using its menus, and going under Network Administration -> Vlan -> Standard Vlan, Vlan 1 was created an all ports set as "Untagged" for it. I created a 501 and 502 Vlan, and set the ports connecting to my patch panel corresponding to the connections for the GT-AX6000, RT-AX88U and Playroom (ports 22, 23, and 24) as "TAGGED" for Vlan 501 and 502. With that setup, I was able to connect a device to the guest network (intranet access=disabled) on the RT-AX88U, get an IP an connect to the internet only.

Finally, the switch in the play room was an unmanaged 8 port D-Link so I picked up a "Netgear GS108Ev3 - 8-Port Gigabit Ethernet Smart Managed Plus Switch" at the local best buy because it was on sale for nearly 50% off, making it relatively cheap and an easy solution. On the Netgear, I used the menus to go Vlan -> 802.1Q -> VLan Configuration, enable it, again Vlan 1 was already created and ports 1 through 8 were members. Next I created VLAN 501 and 502, then on the Vlan Membership tab assigned Ports 1 (connected to the Dell X1026 in the basement) and 2 (connected to the TUF-AX5400 in Son's room) as Tagged on Vlan 501 and 502. With that finally setup, I was able to connect a device to the guest network (intranet access=disabled) on the TUF-AX5400 in my Son's room, get an IP an connect to the internet only.

Many thanks to everybody that pointed in the right direction: VLANs. I am using two Asus RT-AX1800U in AiMesh config with two guest wlans (one 2.4GHz and one 5 GHz).

I hope that it will help everybody: here is my TP-Link TL-SG108E switch config

 

[jorgsmash]

I had an RT-AX88U main with an RT-AX58U AiMesh (wired and wireless backhaul, briefly) less than a year ago. Not a setup that could be considered 'worth the money'.

The current 2x RT-AX86U's in wired 2.5GbE backhaul mode are far, far superior.

The recently experienced 2x RT-AX68U's in wireless backhaul mode for a customer was also superior to the RT-AX88U + RT-AX58U setup (from memory and from the increase in performance/throughput from 2x RT-AC86U's for that same customer).

Report - 2x RT-AX68U upgrade over 2x RT-AC86U in wireless backhaul mode

Report - 2x RT-AX68U upgrade - Followup questions/answers

I know this is and old post but this is a bummer to read, as this is my exact setup. AX88U as main router, AX58U as AI-mesh node, wireless backhaul (don't know how I'd manage to wire them together). And I am experiencing the same issues with the guest network as many others are stating from back in 2021. Still reading this entire thread though. About 6 pages left

I wouldn't mind spending some $ on a better setup.

 

[SchneiderIS]

I know this is and old post but this is a bummer to read, as this is my exact setup. AX88U as main router, AX58U as AI-mesh node, wireless backhaul (don't know how I'd manage to wire them together). And I am experiencing the same issues with the guest network as many others are stating from back in 2021. Still reading this entire thread though. About 6 pages left

I wouldn't mind spending some $ on a better setup.

From my personal experience, take into account how many devices you have to manage. My home has a lot of home automation devices and that is what brought me back to the Asus. I suspect other options such as Netgear might have improved but the flexibility of building my mesh and upgrading points as I go has been a huge appeal.

A couple of things to consider is the number of bands you have on your routers if you can't install a dedicated backhaul. Some routers are going to have multiple 5Gh or the addition of a 6Gh that can be used as a dedicated backhaul. If you have singular though then all traffic will happen on the one band.

Another is placement of the nodes. Do not underestimate the impact of placement including the nodes being to close to the main router (or to each other if you add more).

A dedicated ethernet backhaul is always idea, just not always viable. Recently I upgraded my AX88U to a AX88U Pro specifically to get support for a 2.5Gb ethernet backhaul connectivity. Then I upgraded one switch to support all nodes with 2.5Gb. It has made a big difference in backend stability and reduction of jitter (more than I expected). If that is the case with a wired backhaul at 1Gb then just think how much of a hit (keep in mind your bandwidth might be very different from mine) you take on a wireless.

 

[SchneiderIS]

@jorgsmash, not sure if you saw the recent TP-Link mesh network announcement. Not cheap, but I suspect it would be much better with wireless backhaul. WiFi7 should take and make a big leap in this area.

TP-Link Launches New 'Deco BE85' Tri-Band WiFi 7 Mesh System

 

[ieatsoop]

I was having the same issue with clients not being able to connect to the guest networks on the AiMesh node. The main router is an AX89X and an AC86U as the node using an ethernet backhaul. I just set up AiMesh yesterday and thought it would be a breeze until I hit this snag. All FW is up to date, with the latest beta on the AX89X. The AX89X was on the 2nd floor and the AC86U was on the 1st. I was using MoCA to connect the network and had an unmanaged switch between the MoCA adapter and the AiMesh node on the 1st floor. Based on this post that the guest networks were using VLAN tags, I removed the switch after the MoCA adapter and connected the adapter directly to the node. I then connected the switch to one of the LAN ports on the node. I tested it on the 2.4 guest and was able to connect to the guest network without issues and have internet access. Intranet access was kept disabled the entire time. I enabled "All AiMesh node(s)" for the 5GHz network and everything seems to be working fine now. I was about to get a TP-Link Easy Smart Managed switch but decided to see if this setup would work. Thankfully it did. I have not tested whether clients on the guest can access the intranet but hoping to do it later. This might help other people with the same or similar set up as mine and save them some stress.

 

[mocamaster]

Posting to hopefully help some of the people on this thread, I have AIMesh, with Guest Isolation, Wired backhaul, Main router AX58 and 2 nodes AX55 and AC68, everything works.

The likely issue for at least some people with a similar setup is that if your backhaul goes through a switch, you will have the issue of no IP being assigned unless the switch is managed, supports VLANs and is set up correctly.

The Guest Networks, when isolation is turned on, creates VLANs with IDs of 501 for 2.4GHz (the 192.168.101.XXX sub net) and 502 for the 5GHz (192.168.102.XXX sub net). No VLANs are created or needed when isolation is off.

I have my nodes each going through 2 switches (1 Netgear, one TP-Link) but they are both managed and support 802.1Q-based VLAN's and once those were correctly set up the nodes both worked correctly.

I appreciate you sharing your insights, it's indeed helpful for everyone facing similar issues with AIMesh setups. However, there's a particular point that's causing confusion. You suggested that the problem might be resolved if a managed switch that supports VLANs and is set up correctly is used. While this might be valid in some cases, I've found that my main router's Guest WiFi SSID won't allow internet access unless I enable intranet.

Wouldn't it be reasonable to assume that if the issue was indeed due to VLANs, then the main router's guest WiFi should not be affected as it isn't traversing any switches? Also, it's worth noting that in my setup, there are no managed switches in the paths of my nodes or router ( I have moca ethernet backhaul from the nodes to the main router).

Could you please clarify this point? Did you encounter the same issue with your main router's guest WiFi also traversing the switches?

Here's my specific issue: when I have Intranet Access set to OFF and NAT Acceleration set to ON, devices connected to the Guest Network struggle to connect, and even when they do, they can't access the internet. If I enable Intranet Access, the problem is resolved, but this isn't ideal since it opens up my main network to guest devices. Alternatively, I can turn off NAT Acceleration and keep Intranet Access disabled, but this seriously limits my internet speed.


Thanks for any additional insights you can provide.

 

[KidJoe]

Could you please clarify this point? Did you encounter the same issue with your main router's guest WiFi also traversing the switches?

I'm still experiencing the issue where the guest SSID on my main router as well as the nodes can't access the internet unless I enable intranet access. Thanks for any additional insights you can provide.

I had the same issue. I can't offer the technical reasons behind this... But managed switches and vlans fixed it for me.

See

Asus AIMesh Guest network issues

As I said, while I could potentially bypass the basement switch by jumpering the patch panel from the GT-AX6000 to the RT-AX88U for testing, even if that works, I will not be able to bypass the play room switch the TUF-AX5400 is connected to. Unfortunately the roof design above my son's room...

www.snbforums.com

 

[mocamaster]

I'd like to provide a brief update on how I solved an issue with my guest Wi-Fi not connecting to the internet. Initially, the problematic configuration was as follows:

• NAT Acceleration: Disabled
• Guest Network 1 Access Intranet: Disabled

My initial workaround was to enable NAT Acceleration, which successfully provided my guest devices with internet access. However, this resulted in a limit to my internet speeds, approximately capped at around 300.

Based on suggestions from others, I found a solution that involved reconfiguring my guest Wi-Fi networks, specifically Guest 2 and Guest 5. I moved Guest 2 from the first column of the Guest Network settings page to the second column, and Guest 5 to the third column. This change enabled me to set NAT Acceleration to 'Auto'. Consequently, I was able to enjoy Gig download speeds again.

This configuration change allowed devices on my guest network to access the internet while remaining isolated from my primary internal network.
I hope this solution proves useful to others who may encounter similar issues. I spent quite some time figuring it out, so I'd like to thank everyone who offered their assistance!

 

[Atriskalpha]

So I’m having this issue as well on four XT8 wireless backhaul to an unmanaged switch.


Any one know if:

I put I plug the three nodes into the main, will guest 1 work correctly?

Are there any unmanaged switches that guest 1 will work with? I guess I’m asking for an unmanaged switch that can deal with Vlans???

 

[gorstj]

Can't comment on wireless backhaul.
With wired backhaul guest1 works fine on main router and the AImesh nodes (AX86 and XD4 nodes x3)

I have used a managed and unmanaged switch before.
The unmanaged should be fine (as it will preserve all the VLAN tags)
The managed should work fine too as it shoudl, by defauly, pass all the VLAN tags onwards without removing/filtering. It will give you the flexibility to add some wired outlets to be on the guest VLAN exclusively.

 

[jhmd]

I came across this thread having issues with guest network in an AIMesh setup and wanted to share my experiences for anyone else who has the same problem.

I have 300/300 FIOS. I had an existing AC68U and purchased a new AX68U to try improve signal strength in a few areas of my home and hopefully take advantage of higher internal network speed for moving files around from a PC that cannot be hardwired to a NAS. The FIOS ONT is in basement connected to an AC68U. The AC68U is directly wired to a new AX68U on my main floor with no switches in between. Both routers are on the latest stock firmware. I've disabled wireless of the AC68U as it's in a poor location and the main router covers my needs (this didn't affect anything, but needed to be done last).

I wanted to create a guest network for IoT devices that is isolated from my main network. I was running into the same issues many people have mentioned. Only Guest Network #1 allows for you propagate the guest network to Nodes (so using 2 or 3 is not an option). However, if you select disable intranet there seems to be some sort of bug (at least in the AC68U firmware) in how the VLANs are created that prevents clients on the guest network from accessing the WAN / internet. In my case, DHCP was working and devices were IP addresses in the 192.168.101.xxx range which seems to be correct. Devices were isolated from clients on my main network, but also had no access to the WAN/Internet.

The only way I was able to "fix" this was disable the NAT Acceleration on the AC68U:

• NAT acceleration disabled
• Guest network on AiMesh set to "All AIMesh Nodes"
• Access Intranet Disabled)

I was concerned I was going to be making the trade-off of not being able to utilize my full internet speeds if I wanted an isolated guest network, but in practice I get the following behavior:

• Clients on the guest network are isolated from clients on my main network (I cannot ping them or even get to the router's admin UI), but they are able to access the Internet.
• I am able to get my full internet speed (300/300) on my main network even with NAT acceleration disabled. Loaded pings may have gotten marginally worse.
• Clients on the guest network do not get full internet speed but rather between 100-150mbs U/L. This is probably from disabling NAT acceleration, but it's fine for my case as I'm using it for IoT.
• I was seeing capped uploads (~200 mbps) when I was testing the AX68U directly connected to the FIOS ONT as others have mentioned. Putting the AC68U as a router in front of it seems to have mostly alleviated that. I'm still getting slightly slower upload speeds to the internet than with the AC68U alone, but intranet traffic is faster which was my main concern. It's frustrating that a 10 year old Asus router doesn't have this issue but new Asus AX routers do.

The tl;dr here is if you are having problems with AI Mesh nodes and guest wireless, try disabling NAT acceleration and you may still get full internet speeds on your main network if you have sub-gigabit internet. I'm a little disappointed with the experience as the reason I purchased another Asus router was to be able to maintain an isolated guest wireless network while moving a router to my basement without buying multiple new devices. I was able to eventually get it working for my needs, but it wasted a lot of time and the functionality did not work as advertised. Some of this may be related to the mix of firmware across the AC and AX device.

 

[mran613]

I know that this thread hasn't been active, however, I figured Id give it a shot. I've attached a pic of my mesh network. I've completely rebuilt it by resetting all routers to factory settings by holding the wps button and then turning on the power; all routers are at the latest firmware. I've rebuilt this network twice now by adding one node at a time and testing it. All of the nodes are hard-wired with Cat6e, I have 1 main switch that is a managed switch but I have not created any VLANs. I have never been able to get any of the nodes to broadcast my guest network through many firmware upgrades. I've read through all of the solutions in this thread, I cannot find a "nat acceleration" setting in my router's configuration or manual. Any other advice or suggestions?