What's new

Asus AIMesh Guest network issues

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

So, are clients on your AP guest WLAN(s) isolated from your intranet?

OE

Answering a question with a question?

The ASUS router Guest Network section says this:

The Guest Network provides Internet connection for guests but restricts access to your local network.
 
Answering a question with a question?

The ASUS router Guest Network section says this:

The Guest Network provides Internet connection for guests but restricts access to your local network.

Yes, the proof is in the confirming of your security, not what you read.

I believe AP Mode guest WLAN clients are not isolated from your router (intranet). Confirm this.

If true, then AiMesh (router mode, not AP mode) guest1 WLANs (that sync to all nodes and are suppose to be isolated from your intranet) would be superior to your AP Mode guest WLANs. Confirm this, too.

OE
 
How totally frustrating. I made the error, prior to finding this thread/posting, that guest network would work on this extremely expensive AiMess network that I setup. I bought a RT-AX88U to add to my network of 2 RT-AX86U's, all to be in an AiMess configuration. Enabled the guest 1 network for 2.4G only, with access to Intranet and WPA2 Personal password. This completely crippled my network. 2 hours later I managed to restore (always do a backup before making changes to the Asus configuration), re-add my nodes, and get my network back online.

How is it that a company provides an interface to configure a functionality that does not work and in fact causes total chaos to ensue?

Perhaps this has to do with the latest firmware, or is it the RT88U that is the culprit in my case. I bought it to add better coverage in my basement (to much metal ductwork between it and the upper floor that caused performance issues). Adding the RT88U I immediately had issues with several IoT devices (4 switches and two light bulbs) that could not get on the network. I figured that a guest network that was only 2.4G would allow me to control the connection, but that was way worse.

Appologies for the rant. Just completely frustrated with Asus at this point.
 
Posting to hopefully help some of the people on this thread, I have AIMesh, with Guest Isolation, Wired backhaul, Main router AX58 and 2 nodes AX55 and AC68, everything works.

The likely issue for at least some people with a similar setup is that if your backhaul goes through a switch, you will have the issue of no IP being assigned unless the switch is managed, supports VLANs and is set up correctly.

The Guest Networks, when isolation is turned on, creates VLANs with IDs of 501 for 2.4GHz (the 192.168.101.XXX sub net) and 502 for the 5GHz (192.168.102.XXX sub net). No VLANs are created or needed when isolation is off.

I have my nodes each going through 2 switches (1 Netgear, one TP-Link) but they are both managed and support 802.1Q-based VLAN's and once those were correctly set up the nodes both worked correctly.
 
Unfortunately the guest network on mesh nodes with intranet isolation enabled hasn't worked on all newer firmware versions on my AX92U. I am using the wireless backhaul though rather than wired, with an AX88U as the main router.

The only solution for me has been to revert the AX92U back to firmware version 386_43084 which was the last one where isolated guest network on mesh nodes still working with my setup. The main AX88U router is on the current latest firmware 386_45934.

I have raised this with ASUS via the feedback form and sent them logs etc but not had any replies.

I did notice a separate thread here when y-y's recommendation was to use merlin's firmware and remove the WLAN port from the 501/502 VLANs, as I'm not running merlin's firmware I haven't been able to try it though:
 
Posting to hopefully help some of the people on this thread, I have AIMesh, with Guest Isolation, Wired backhaul, Main router AX58 and 2 nodes AX55 and AC68, everything works.

The likely issue for at least some people with a similar setup is that if your backhaul goes through a switch, you will have the issue of no IP being assigned unless the switch is managed, supports VLANs and is set up correctly.

The Guest Networks, when isolation is turned on, creates VLANs with IDs of 501 for 2.4GHz (the 192.168.101.XXX sub net) and 502 for the 5GHz (192.168.102.XXX sub net). No VLANs are created or needed when isolation is off.

I have my nodes each going through 2 switches (1 Netgear, one TP-Link) but they are both managed and support 802.1Q-based VLAN's and once those were correctly set up the nodes both worked correctly.
Interesting Point on the switched vs unstitched wired backhaul. It has me wondering if this is not also an impact on some other HomeKit challenges.

As a curious note, I did a restore of my network to clean up the problems that came from creating the guest network. Everything worked fine and then I noticed that it had not turned off the guest network. This might just be a chance coincident but I wonder if you get everything running without the guest network, then setup the guest network, and then restore the backup that was made.
 
Posting to hopefully help some of the people on this thread, I have AIMesh, with Guest Isolation, Wired backhaul, Main router AX58 and 2 nodes AX55 and AC68, everything works.

The likely issue for at least some people with a similar setup is that if your backhaul goes through a switch, you will have the issue of no IP being assigned unless the switch is managed, supports VLANs and is set up correctly.

The Guest Networks, when isolation is turned on, creates VLANs with IDs of 501 for 2.4GHz (the 192.168.101.XXX sub net) and 502 for the 5GHz (192.168.102.XXX sub net). No VLANs are created or needed when isolation is off.

I have my nodes each going through 2 switches (1 Netgear, one TP-Link) but they are both managed and support 802.1Q-based VLAN's and once those were correctly set up the nodes both worked correctly.
What you say makes sense. I was wondering how the "guest network" isolation would work without VLAN tagging and you're correct (I'm 99.9% certain) that the "regular" home network switches (not-managed) do not support VLAN Tagging, and, like me, using wired/ethernet backhaul connects to another switch.

Now, what I do wonder is what if one connected to the 4-port switch on the main ASUS router? I have no idea (I'd kinda doubt it) if that would support VLAN tagging, but it's a thought/idea to try out.
 
My configuration is:

AiMesh Router -> unmanaged switch -> AiMesh Node with Ethernet backhaul

I have a 5 GHz guest network with [Access Intranet] = DISABLE (no intranet access) and [Sync to AiMesh Node] = ALL

When AiMesh Router and AiMesh Node are both on Merlin 386.4, I cannot get an IP assigned when I'm attached to the guest network via the node.

When AiMesh Router is on Merlin 386.4 but the AiMesh Node is on stock FW 386_45987, the guest network is working as expected when connecting via the node: I get an IP assignment in the guest range, and I'm blocked from the intranet.
 
Restoring a backup will bring the state of the router/network back to the same state before a full reset. In other words, in a bad state.

Not that doing so hasn't seemingly fixed some people's issues (at least temporarily), but I can just imagine how bad the router was (it wasn't in a good/known state at all).
 
Posting to hopefully help some of the people on this thread, I have AIMesh, with Guest Isolation, Wired backhaul, Main router AX58 and 2 nodes AX55 and AC68, everything works.

The likely issue for at least some people with a similar setup is that if your backhaul goes through a switch, you will have the issue of no IP being assigned unless the switch is managed, supports VLANs and is set up correctly.

The Guest Networks, when isolation is turned on, creates VLANs with IDs of 501 for 2.4GHz (the 192.168.101.XXX sub net) and 502 for the 5GHz (192.168.102.XXX sub net). No VLANs are created or needed when isolation is off.

I have my nodes each going through 2 switches (1 Netgear, one TP-Link) but they are both managed and support 802.1Q-based VLAN's and once those were correctly set up the nodes both worked correctly.

Can anyone elaborate on "and is setup correctly".

I have a similar configuration described in the quoted text. Primary Router is ac88u. Two mesh nodes, each ac68u. Wired backhaul to an TP-Link "Easy Smart" Switch, that does support 802.1Q VLAN.

I experience the same issue described throughout this thread. Devices connected to guest network of mesh nodes often spin on "Obtaining an IP address".

Given I have a cable from LAN of primary router to Port 1 of switch, and cables from WAN of mesh nodes to Ports 2 and 3 of the switch --- what is the proper VLAN configuration at the switch?
 
My configuration is:

AiMesh Router -> unmanaged switch -> AiMesh Node with Ethernet backhaul

I have a 5 GHz guest network with [Access Intranet] = DISABLE (no intranet access) and [Sync to AiMesh Node] = ALL

When AiMesh Router and AiMesh Node are both on Merlin 386.4, I cannot get an IP assigned when I'm attached to the guest network via the node.

When AiMesh Router is on Merlin 386.4 but the AiMesh Node is on stock FW 386_45987, the guest network is working as expected when connecting via the node: I get an IP assignment in the guest range, and I'm blocked from the intranet.
Interesting, I went looking and apparently some unmanaged switches will pass VLAN tags along. I had one that didn't (dropped them), so thought you had to have a managed switch to support it, but saw the following:

 
Interesting, I went looking and apparently some unmanaged switches will pass VLAN tags along. I had one that didn't (dropped them), so thought you had to have a managed switch to support it, but saw the following:

I used to manually set up a tagged VLAN as a guest network with this same unmanaged switched. It would work for a while, but sporadically it wouldn’t (couldn’t get a guest IP), and I always thought maybe it was because of the cheap consumer switch. But then I bypassed the switch and still had issues, so I finally concluded the switch was passing the tags just fine.
 
I was hoping the latest version of MerlinWRT (v386.4) would fix the AiMesh issue with guest access on my two RT-AC86U's. But it doesn't....
The only way to get guest access working is by (still) enabling "Access Intranet", otherwise it will stay stuck on assigning/getting an IP-address.


When AiMesh Router is on Merlin 386.4 but the AiMesh Node is on stock FW 386_45987, the guest network is working as expected when connecting via the node: I get an IP assignment in the guest range, and I'm blocked from the intranet.

So the original Asus FW does work with guest access and with intranet disabled?
Seems MerlinWRT missed something then when updating the firmware? Or did I miss something here?
 
The only way to get guest access working is by (still) enabling "Access Intranet", otherwise it will stay stuck on assigning/getting an IP-address ... So the original Asus FW does work with guest access and with intranet disabled?
I've been having similar issues across several recent versions of AsusWRT Merlin with wireless clients being able to connect to guest network 1 via the main router (AC86U), but unable to connect to the same network via my single Aimesh node (AC68U). In essence I had a choice between three unacceptable options:
  • Wired backhaul between router and node with 'access intranet' enabled: wireless clients unable to connect to guest network 1 via the node, logs showing a flood of dropped packages. Same result regardless of whether the router and node were wired directly to each other or via a semi-managed switch (TP-Link TL-SG108E).
  • Wired backhaul with 'access intranet' disabled: wireless clients able to connect via the node and no dropped packages in the network. However, not an acceptable solution due to security issues.
  • Wireless backhaul between router and node: clients able to connect to guest network 1 via the node with 'access intranet' disabled. Unfortunately this didn't work for me either due to speed issues (wifi connection between router and node too weak).
After reading @tsanga's comment above I decided to install the latest Asus stock firmware (386.45987) on the node, leaving the main router on Merlin 386.4 with a wired connection to the node (via the switch). I can confirm that guest network 1 is now working as expected: wireless clients can now connect via both the router and the node and are blocked from the intranet.
 
Last edited:
So the original Asus FW does work with guest access and with intranet disabled?
Seems MerlinWRT missed something then when updating the firmware? Or did I miss something here?
You only need Asus FW on the node, not the router. I haven’t come up with a really good reason to need Merlin FW on the node, except maybe to schedule the node LED lights in a bedroom, which is better than the all or nothing toggle in the AiMesh menu. But there are mechanical solutions to dim blinking lights (scotch tape).
 
@pinkgrae @tsanga

Thanks guys for your answers. Guess I will go back (for the very first time) to the original Asus FW then. And I thought I read somewhere it's being adviced to use the same firmware on all AiMesh devices? And not to mix them? Maybe I am wrong though.
Still I do not understand why the MerlinWRT firmware didn't include this fix and is still broken...
 
@pinkgrae @tsanga

Thanks guys for your answers. Guess I will go back (for the very first time) to the original Asus FW then. And I thought I read somewhere it's being adviced to use the same firmware on all AiMesh devices? And not to mix them? Maybe I am wrong though.
Still I do not understand why the MerlinWRT firmware didn't include this fix and is still broken...

From the wiki itself:
Nodes running this firmware will have one limitation over running on the stock firmware, which is they will lack the ability to automatically download and install new firmware versions. New firmware availability notification will still work, and the changelog will also be visible through the webui, but you will have to use the node's Upload hyperlink to manually upload any new firmware. Nodes running on the stock firmware will retain their ability to do live updates by using the global Firmware Upgrade button.

While Merlin-based nodes seem to work fine so far (aside from the above limitation), there is generally little benefit in running it on a node, so it's generally recommended to leave your nodes on the stock Asus firmware.
I guess now there are two limitations.

 
Update: 15 hours since flashing stock on the node and everything (including guest network 1) is still working as expected. The only potential issue is that I am seeing a trickle of dropped packages in the network, but nowhere near the flood I was experiencing earlier. However, reading the TP-Link forums I suspect this may be an issue with the switch, as others have reported similar issues.
I thought I read somewhere it's being adviced to use the same firmware on all AiMesh devices? And not to mix them?
As stated above the wiki advises that nodes can run either stock Asus or Merlin firmware with a router on Merlin, but it says that if running a mixture you should "run firmware releases that were released at approximately the same time, for having the best chance of avoiding compatibility issues". Some users have advocated running exactly the same firmware on router and nodes to avoid any potential for compatibility issues, but in practice mixing and matching doesn't seem to be an issue - e.g. see this thread and this thread. I think go with whatever works for you, but make sure to keep the firmware on the router and nodes up to date (as you should anyway).
I haven’t come up with a really good reason to need Merlin FW on the node, except maybe to schedule the node LED lights in a bedroom, which is better than the all or nothing toggle in the AiMesh menu. But there are mechanical solutions to dim blinking lights (scotch tape).
I didn't know about the LED control! Anyway, my reason for running Merlin on my node was that it allowed me to run command line scripts on the node - e.g. a while ago I was running an automated backup script for a usb drive that was attached to the node. However, at the moment I don't use this functionality as a pi is doing this task now, and I'm only using the node for wireless access. On the other hand I very much need the guest network to work via the node, so the plan for the time being is to stick with stock on the node.
 
Last edited:
Dunno. But I cannot seem to find 386.45987 for AC86U. It only appears to be for the RT-AC68U?
The only current version I can find on the Asus website for my AC86U is: 3.0.0.4.386.45956.

Is that correct?
 
Dunno. But I cannot seem to find 386.45987 for AC86U. It only appears to be for the RT-AC68U?
The only current version I can find on the Asus website for my AC86U is: 3.0.0.4.386.45956.

Is that correct?
Merlin 386.4 is using GPL 386_45958, so that should be close enough for it to work.

I’ve been using it this way with my node running stock FW since OEM 43129.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top