What's new

Asus Merlin 386.1 IoT-network configuration

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

NeoID

New Around Here
Hi,

I own three different AX88U's. Two of them are connected by AIMesh (with Ethernet backhaul) and one is configured as a media bridge and connected to my server (as my server for the time being can't be connected by cable). For now I have an ancient Asus router as a dedicated IoT router connected to my media bridge. That way I get a IoT SSID and my "Home Assistant" (Smart-home server) which is connected to the IoT router is able to get access to devices on both my IoT- and my main LAN. The main purpose of this not security, but to have a static SSID to use with hardware that is difficult to program/reset.

I've read about YazFi which sounds promising, but apparently does not work well with AImesh yet. What caught my eyes was the possibility to setup "One way to guest", but I'm not sure how that affects devices that for example run web-servers that require two way communication? Maybe I just understand that wrong... I would love to be able to sync my IoT SSID between the two nodes I have since my floors are concrete and no WiFi get's through. However, I hear that doesn't work well yet until Asus may or may not fix that Guest network 1.

The only real requirement I have is that I have to be able to set static IP from the DHCP side. I would love to be able to block IoT devices from accessing the LAN as a security feature, but I'm not sure that would generate a lot of other issues.

How are you guys setting up a IoT network?
 
I had high hopes for YazFi + 386.1 as well but unfortunately for now, the combo seems to not be in a perfect state.

However, I have my iot devices connecting to Guest 1 2.4Ghz with Access Internet = disabled, Sync to AiMesh node = All. That puts them on the 192.168.101.x (seems hard-coded and this is what seems to cause YazFi issues) segment and they seem to be well-separated from the main LAN -- as in iot devices can *not* reach LAN devices but (unfortunately for me but sounds like desired by you) LAN devices are able to reach the devices on the guest segment. The guest network is extended to my two other AiMesh nodes.

I noticed that neither Guest 2 nor Guest 3 guest networks can *not* be sent to the AiMesh node(s)

I'd love to hear how things are working for others in respect to this/these scenarios.
 
Actually the setting is Access Intranet = Disabled. Intranet refers to your LAN as compared to Internet which is your WAN. Yes, is can be confusing.

The Guest 1 is working as intended. I have done some research into doing manual address assignment on Guest 1 or being able to assign static IP addresses. I have found the NVRAM settings that control the assignment of addresses in the guest network but it is not a high priority for me as I do not normally use a guest network at home. Just do not have devices that I am concerned about security wise.
 
Actually the setting is Access Intranet = Disabled. Intranet refers to your LAN as compared to Internet which is your WAN. Yes, is can be confusing.

The Guest 1 is working as intended. I have done some research into doing manual address assignment on Guest 1 or being able to assign static IP addresses. I have found the NVRAM settings that control the assignment of addresses in the guest network but it is not a high priority for me as I do not normally use a guest network at home. Just do not have devices that I am concerned about security wise.
Access Intranet = Disabled means I don't want devices on the guest network to be able to interact (both ways) with devices on the LAN, right? Or does it just protect in one direction (aka guest can't see LAN but LAN can see guests)?

Yeah, what I see is that if I have YazFi enabled, it does not use the IP segment I specify in YazFi but it stays with 192.168.101.x (or 192.168.102.x for 5Ghz Guest 1) I also see that the 101 *is* in the nvram and I don't want to mess with that.

Anyways, Yaz has told me that things are better on a develop version of YazFi so I'll be trying that tonight or this weekend as time allows.
 
What caught my eyes was the possibility to setup "One way to guest", but I'm not sure how that affects devices that for example run web-servers that require two way communication?

The problem w/ IOT these days is that no one has established a *clear* *consistent* definition of what qualifies as an IOT device, and the relationship it should have w/ the rest of the network. Even you stated security was NOT a primary concern in your case. And now you're pondering the issue of inbound access.

Just seems to me we're being a little too loose in the use of that term, when in fact many of these scenarios would probably not qualify. It matters because certain assumptions are obviously going to be made about IOT and how it should operate, just as it is w/ guest networks. And that means IOT as implemented by the developers might not be to everyone's liking.
 
Last edited:
Seems like using "Guest network 1" with "Sync to AImesh nodes" is the way to go. That gives me the coverage I need on both my floors, the IP is the same as my main network, so setting static IP's seems to work and I can just block the Internet access on a per-device basis. While not perfect, it's probably the best option.

Is there a way to block clients connected to Guest 1 (synced) from connecting to a specific IP such as 192.168.1.10 while allowing all other connections?
 
Last edited:
Hi,
Follow this discussion with great interest. I'm in same situation but have chosen not to use my routers to extend my network, but instead put the routers in cascade, the outer connected to ISP is the Iot router, where iot hub, printer, smarttv etc but also a small router dedicated to guests, is attached, the inner router is for my nas, desktops, laptops and private phones only.
By this topology I'm able not only to separate the iot from the the important systems, I can also use wired iot devices, I can easily shut off my guest network and separate iot 's by put them on separate guest nets. At the same time I never comprises the security of the inner network hidden behind double nat and the inner router firewall which automatically allows traffic only oneway.
As a bonus it also gives me the opportunity to implement wifi6 fully by dedicate the inner router 5GHz band for wifi 6 devices only (which is a absolute requirement), right now only my own and my wife's phones.
So why don't try this approach? It seems much more simple than the guest network approach by Yazfi extension.

EDIT: The original inspiration to build a system like this came from an old post in this forum, thank you for that, @CaptainSTX !
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top