Asus Merlin 386.1 IoT-network configuration

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

NeoID

New Around Here
Hi,

I own three different AX88U's. Two of them are connected by AIMesh (with Ethernet backhaul) and one is configured as a media bridge and connected to my server (as my server for the time being can't be connected by cable). For now I have an ancient Asus router as a dedicated IoT router connected to my media bridge. That way I get a IoT SSID and my "Home Assistant" (Smart-home server) which is connected to the IoT router is able to get access to devices on both my IoT- and my main LAN. The main purpose of this not security, but to have a static SSID to use with hardware that is difficult to program/reset.

I've read about YazFi which sounds promising, but apparently does not work well with AImesh yet. What caught my eyes was the possibility to setup "One way to guest", but I'm not sure how that affects devices that for example run web-servers that require two way communication? Maybe I just understand that wrong... I would love to be able to sync my IoT SSID between the two nodes I have since my floors are concrete and no WiFi get's through. However, I hear that doesn't work well yet until Asus may or may not fix that Guest network 1.

The only real requirement I have is that I have to be able to set static IP from the DHCP side. I would love to be able to block IoT devices from accessing the LAN as a security feature, but I'm not sure that would generate a lot of other issues.

How are you guys setting up a IoT network?
 

mpilasy

New Around Here
I had high hopes for YazFi + 386.1 as well but unfortunately for now, the combo seems to not be in a perfect state.

However, I have my iot devices connecting to Guest 1 2.4Ghz with Access Internet = disabled, Sync to AiMesh node = All. That puts them on the 192.168.101.x (seems hard-coded and this is what seems to cause YazFi issues) segment and they seem to be well-separated from the main LAN -- as in iot devices can *not* reach LAN devices but (unfortunately for me but sounds like desired by you) LAN devices are able to reach the devices on the guest segment. The guest network is extended to my two other AiMesh nodes.

I noticed that neither Guest 2 nor Guest 3 guest networks can *not* be sent to the AiMesh node(s)

I'd love to hear how things are working for others in respect to this/these scenarios.
 

bbunge

Part of the Furniture
Actually the setting is Access Intranet = Disabled. Intranet refers to your LAN as compared to Internet which is your WAN. Yes, is can be confusing.

The Guest 1 is working as intended. I have done some research into doing manual address assignment on Guest 1 or being able to assign static IP addresses. I have found the NVRAM settings that control the assignment of addresses in the guest network but it is not a high priority for me as I do not normally use a guest network at home. Just do not have devices that I am concerned about security wise.
 

mpilasy

New Around Here
Actually the setting is Access Intranet = Disabled. Intranet refers to your LAN as compared to Internet which is your WAN. Yes, is can be confusing.

The Guest 1 is working as intended. I have done some research into doing manual address assignment on Guest 1 or being able to assign static IP addresses. I have found the NVRAM settings that control the assignment of addresses in the guest network but it is not a high priority for me as I do not normally use a guest network at home. Just do not have devices that I am concerned about security wise.
Access Intranet = Disabled means I don't want devices on the guest network to be able to interact (both ways) with devices on the LAN, right? Or does it just protect in one direction (aka guest can't see LAN but LAN can see guests)?

Yeah, what I see is that if I have YazFi enabled, it does not use the IP segment I specify in YazFi but it stays with 192.168.101.x (or 192.168.102.x for 5Ghz Guest 1) I also see that the 101 *is* in the nvram and I don't want to mess with that.

Anyways, Yaz has told me that things are better on a develop version of YazFi so I'll be trying that tonight or this weekend as time allows.
 

eibgrad

Very Senior Member
What caught my eyes was the possibility to setup "One way to guest", but I'm not sure how that affects devices that for example run web-servers that require two way communication?

The problem w/ IOT these days is that no one has established a *clear* *consistent* definition of what qualifies as an IOT device, and the relationship it should have w/ the rest of the network. Even you stated security was NOT a primary concern in your case. And now you're pondering the issue of inbound access.

Just seems to me we're being a little too loose in the use of that term, when in fact many of these scenarios would probably not qualify. It matters because certain assumptions are obviously going to be made about IOT and how it should operate, just as it is w/ guest networks. And that means IOT as implemented by the developers might not be to everyone's liking.
 
Last edited:

NeoID

New Around Here
Seems like using "Guest network 1" with "Sync to AImesh nodes" is the way to go. That gives me the coverage I need on both my floors, the IP is the same as my main network, so setting static IP's seems to work and I can just block the Internet access on a per-device basis. While not perfect, it's probably the best option.

Is there a way to block clients connected to Guest 1 (synced) from connecting to a specific IP such as 192.168.1.10 while allowing all other connections?
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top