ASUS Guest Networks and Isolation

[Joe D.]

Have used DDWRT on Dlink 315 and now ASUS Merlin on RT-AC66 and on. Currently installed on AC1900P and AX88U. Prevous experience shows VAPs on separate subnets and firewall rules that controlled access to lan and wlan. AX88U creates BR1 for wl0.1 and wl1.1, but doesn't assign these interfaces to new bridge br1. Devices connected to guest-1 network (wl0.1, wl1.1) are assigned IPs from primary DHCP pool on BR0 and there is no isolation since they are all on same subnet. Enabling guest-2 creates a br2 but again interfaces are assigned to br0. Enabling guest-3 doesn't create a br3 as expected. NOTE: I use IPv4 for personal lan.

 

[eibgrad]

Correct. But that's just the way ASUS decided to do it. What isolation it provides is either using an ethernet (layer 2) firewall, or AP isolation. So it's NOT as if you can't isolate guests from the private network at all. But it's nowhere as flexible as using an IP (layer 3) firewall like you see in DD-WRT or FT (FreshTomato). To be fair, it's NOT as if this hasn't been supported in this same fashion on other firmware. Ubiquity does the same thing, at least by default, but you can optionally choose to implement isolation using different IP networks.

Like any firmware, OEM or third-party, you're buying into a certain set of assumptions (even if you don't immediately know it) about how things do and should work. And many times these things aren't immediately obvious until the choices made by the firmware's developer don't jive w/ your own expectations. The lack of support for user-defined VLANs/VAPs/bridges (and by extension, how guest networks are implemented) on ASUS is major showstopper for me personally. I will use it for purposes other than the primary router (e.g., media bridge), or for my own customers. But as my own primary router, FT is my preference because it comports far more favorably w/ my requirements.