What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ASUS RT-AX86U Pro ... and the allusive Guest Network Pro

AdCo

AdCo

New Around Here
Help! I've been at this for days trying to work out how to get a Guest Network setup in a specific way before some guests arrive on Thursday.
I'm wanting the guests to have access to the internet via a separate SSID, and access to just a couple of my smart home devices (basically: the ability to send audio via wifi to a speaker, and the ability to use their Netflix account on their phone streamed onto the Smart TV or Apple TV).

Chat GPT and Gemeni told me that the ASUS RT-AX86U Pro would be able to do this via Guest Network Pro and VLAN, so after a false start with the RT-AXE7800) I ordered the ASUS RT-AX86U Pro.

In addition to the primary network, it said to setup a network in Guest Network Pro for IOT Devices, and a network for Guests. I put all of my IOT devices on the IOT Devices network, and (with a couple of device exceptions) I can access them from the primary network, and my guests cannot other than internet access - as was expected.

Then it said I could provide access to select devices I want the guests to be able to reach via IP or MAC address to the Guest Network so that users could send audio, etc, to those devices. It stepped me through a number of different ways it said this would work (and you'll have to forgive me a little here, as this is where my understanding of it is more sketchy) one after the other, and each ran into a dead-end, before, after hours at this, it tells me it was wrong and the router can't do it. I've probably put a little too much faith in ChatGPT and Gemeni (or maybe it's the operator) :P Either way, I don't trust it either way now as to whether the router can or can't do this.

From recollection it had me configuring settings related to
- DHCP server settings
- Route settings
- Firewall settings
(as different ways to solve it, as each previous way was unsuccessful)

Does anyone know - is what I'm wanting to do possible with this router?

I bought a WiiM Mini expecting that guests could send their audio to it, but if I put it on the IOT network they can't currently reach it, and so I tried putting it directly on the Guest Network, but the router doesn't allow access to it. They can reach it via the Spotify app, but this uses Spotify's internet routing rather an my internal wifi network (which isn't a big problem - but access to do this can't be reliant on all guests having a spotify account).

Any help, direction, or advice would be greatly appreciated!!
It is running the latest firmware 3.0.0.6.102_34349 and operating in Wireless Router mode.
 
The stock Asus 3006 firmware may not offer the granularity you seek. You may need to load Asus Merlin 3006.x firmware to the RT-AX86U Pro then use the custom scripting feature to modify the iptables to allow specific Guest Network Pro clients to access specific main LAN clients. There are a number of past discussions on Guest Network Pro and iptable scripting with Asus Merlin 3006 that can be found using the site search feature. For example, see my post at the following link for some script examples
https://www.snbforums.com/threads/t...st-network-pro-limitations.94438/#post-952345

Ps: some additional relevant discussion here:
www.snbforums.com

mDNs / Bonjour / Multicast

Hi everyone, I am having issues with 3 HomePods in my home. I have 2 AirPlay receivers which work flawlessly, however my HomePods are very hit and miss to work, I took one on holiday and noticed it was much better than at home. Are there any settings or things to enable/check to ensure mDNs /...
www.snbforums.com www.snbforums.com
 
Last edited:
bennor said:
The stock Asus 3006 firmware may not offer the granularity you seek. You may need to load Asus Merlin 3006.x firmware to the RT-AX86U Pro then use the custom scripting feature to modify the iptables to allow specific Guest Network Pro clients to access specific main LAN clients. There are a number of past discussions on Guest Network Pro and iptable scripting with Asus Merlin 3006 that can be found using the site search feature. For example, see my post at the following link for some script examples
https://www.snbforums.com/threads/t...st-network-pro-limitations.94438/#post-952345

Ps: some additional relevant discussion here:
www.snbforums.com

mDNs / Bonjour / Multicast

Hi everyone, I am having issues with 3 HomePods in my home. I have 2 AirPlay receivers which work flawlessly, however my HomePods are very hit and miss to work, I took one on holiday and noticed it was much better than at home. Are there any settings or things to enable/check to ensure mDNs /...
www.snbforums.com www.snbforums.com
Click to expand...
Thanks very much Bennor! The instructions on that post will be pushing my tech skills, but I really appreciate it - I'll take a look and see if I can work it out. In my case the devices I want the guest to be able to access are on the IOT SSID rather than the main network, but it sounds like this may still be possible using the same sort of approach. Am I right to think that updating to Merlin, the existing IOT and Guest networks I've created and the devices already setup are likely to remain setup and continue to work - I'd just be adding a file with firewall rules to try to handle these exceptions?
 
It is a very good idea to factory reset and manually configure after a firmware change. in fact, it is more than a good idea!
If the clients you want your guests to access are on the IoT Guest WIFI, save yourself the pain of switching firmware and trying things that may not work and let them use the IoT WIFI.
 
AdCo said:
Am I right to think that updating to Merlin, the existing IOT and Guest networks I've created and the devices already setup are likely to remain setup and continue to work - I'd just be adding a file with firewall rules to try to handle these exceptions?
Click to expand...
It is generally not a bad idea to perform a factory reset when upgrading from stock Asus firmware to Asus-Merlin firmware. More on installing Asus-Merlin here: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Installation
There is a dedicated Asus-Merlin subforum on this site where there is more discussion on that firmware.
www.snbforums.com

Asuswrt-Merlin

Use this forum for posts about all versions of this alternative firmware for ASUS wireless routers
www.snbforums.com www.snbforums.com
How you have your router configured now can be configured the same way under Asus-Merlin firmware since Asus-Merlin firmware is based on Asus firmware.
The advantage of Asus-Merlin firmware, in addition to the many addon scripts is the customization it brings to allow one to configure the router in ways the stock firmware doesn't (easily if at all) allow.

You should give some thought as to why you would want devices on the Guest Network Pro network but still have those devices access clients on the main network. Do those Guest Network Pro clients really need to be on the guest network or would be benefit from being on the main network. If a device needs to straddle both networks, and that device has two network adapters then it may be possible to configure one network adapter for the main LAN network and the other for the Guest Network Pro/VLAN network.
 
bennor said:
It is generally not a bad idea to perform a factory reset when upgrading from stock Asus firmware to Asus-Merlin firmware. More on installing Asus-Merlin here: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Installation
There is a dedicated Asus-Merlin subforum on this site where there is more discussion on that firmware.
www.snbforums.com

Asuswrt-Merlin

Use this forum for posts about all versions of this alternative firmware for ASUS wireless routers
www.snbforums.com www.snbforums.com
How you have your router configured now can be configured the same way under Asus-Merlin firmware since Asus-Merlin firmware is based on Asus firmware.
The advantage of Asus-Merlin firmware, in addition to the many addon scripts is the customization it brings to allow one to configure the router in ways the stock firmware doesn't (easily if at all) allow.

You should give some thought as to why you would want devices on the Guest Network Pro network but still have those devices access clients on the main network. Do those Guest Network Pro clients really need to be on the guest network or would be benefit from being on the main network. If a device needs to straddle both networks, and that device has two network adapters then it may be possible to configure one network adapter for the main LAN network and the other for the Guest Network Pro/VLAN network.
Click to expand...
The intent is to have my personal devices, like my laptop on the main SSID separated from everything else, then to have the IOT devices on their own SSID, so that they can be logged into that, but still allow me to access those devices when I am connected on the primary network (that part appears to be working). The intention with the guest network is to be able to change the password with each guest, without needing to change the password for 15 IOT devices each time a guest changes - so I don't want guests connecting directly to the IOT SSID. I also don't want them to have access to all the devices on the IOT network (cameras, smart locks, etc) when they only need to be able to ise the internet, send audio to wifi connected speakers, and stream their netflix to the TV or Apple TV. I think that makes sense as a plan?
 
bbunge said:
It is a very good idea to factory reset and manually configure after a firmware change. in fact, it is more than a good idea!
If the clients you want your guests to access are on the IoT Guest WIFI, save yourself the pain of switching firmware and trying things that may not work and let them use the IoT WIFI.
Click to expand...
OK cool, thanks for the advice re reset BBunge.
There are two problems with letting them use the IOT wifi...
(1) I don't want guests to have access to everything on the IOT (cameras, locks, etc), just a couple of devices so they can stream.
(2) From recollection I think the WiiM Mini device they'd be sending audio to also many not work on the IOT network (I'd need to re-check that) - I think the router may block sending to it unless it is on the main network.
While I can access most IOT network devices from the main network, I seem to only be able to connect to the WiiM Mini if I'm on the same network, and it is not a guest network.
 
While there are some ways to allow the discovery of the WiiM on alternative vlans, this delves into advanced technical territory very quickly, and you've stated your level of expertise might be on the lower side. (This same topic has come up on the WiiM forums, and a feature request to allow manual device entry via IP address. You'd also potentially need some iptables commands scripted in Merlin firewall to make this work.) If I may, I'll propose a practicality solution opposed to a technical one, just to keep things simple and to have a solution before your deadline here.

Maybe you should rethink the purpose of your Guest and IoT vlans. It sounds like you have 2 categories of IoT - entertainment and security. I'd suggest keeping your IoT vlan (cameras, locks, etc) as it is, then keeping your entertainment IoT on the Guest Network. Perhaps this would be much fewer devices to reset the password when new rounds of guests visit.

I'm also not someone to poo poo paranoia security measures, but do you have guests that you allow in your house and use your entertainment that you really need to block them later? All I'm saying is perhaps think thru the desired end goal then weigh the practicality vs potential security risks. However, no matter how much you trust these people, don't let them on the vlan with security devices.
 
AdCo said:
(1) I don't want guests to have access to everything on the IOT (cameras, locks, etc), just a couple of devices so they can stream.
Click to expand...
Would it help to have a second "IoT"/GN just for the few devices that guests would interact with?
 
Justinh said:
Would it help to have a second "IoT"/GN just for the few devices that guests would interact with?
Click to expand...
Hey Justinh, I did try that also, but the issue there is that I don't want to have to keep changing networks so that I can use devices - and when I set up a second IOT network it seems to treat the second one differently to the first. I can access my devices on the first IOT network when logged into the primary network, but I can't access the devices on the second IOT network without logging in to it.
 
AdCo said:
Hey Justinh, I did try that also, but the issue there is that I don't want to have to keep changing networks so that I can use devices - and when I set up a second IOT network it seems to treat the second one differently to the first. I can access my devices on the first IOT network when logged into the primary network, but I can't access the devices on the second IOT network without logging in to it.
Click to expand...
When you setup a Guest Network Pro Profile like IoT, it gives you the option to enable or disable Use same subnet as main network. If you enable that option then all client devices connected to that Guest Network Pro Profile will use the same IP subnet range as the main entwork LAN and should be able to access those main LAN client.

Like indicated previously if you need specific network devices on the main LAN to be accessed when you have the Guest Network Pro Use same subnet as main network disabled then you either have to use Asus Merlin firmware and do some firewall scripting (iptables) like my prior linked examples shows. Or you have to use a device that has two network adapters, one connected to the main LAN and one to the Guest Network Pro Profile.

There have been a number of past discussions where people are trying to do the same, have segmented Guest Network Pro clients access a specific device on the main LAN network, usually for Home Automation or similar devices that reside on the main LAN but control devices on Guest Network Pro networks.
 
SoFluffy said:
While there are some ways to allow the discovery of the WiiM on alternative vlans, this delves into advanced technical territory very quickly, and you've stated your level of expertise might be on the lower side. (This same topic has come up on the WiiM forums, and a feature request to allow manual device entry via IP address. You'd also potentially need some iptables commands scripted in Merlin firewall to make this work.) If I may, I'll propose a practicality solution opposed to a technical one, just to keep things simple and to have a solution before your deadline here.

Maybe you should rethink the purpose of your Guest and IoT vlans. It sounds like you have 2 categories of IoT - entertainment and security. I'd suggest keeping your IoT vlan (cameras, locks, etc) as it is, then keeping your entertainment IoT on the Guest Network. Perhaps this would be much fewer devices to reset the password when new rounds of guests visit.

I'm also not someone to poo poo paranoia security measures, but do you have guests that you allow in your house and use your entertainment that you really need to block them later? All I'm saying is perhaps think thru the desired end goal then weigh the practicality vs potential security risks. However, no matter how much you trust these people, don't let them on the vlan with security devices.
Click to expand...
Hey SoFluffy thanks so much for the info re WiiM! I'll look into it further. I'm a web dev, so I have some familiarity with tech, and always willing to give things a try - I just mentioned it for a little context as I can see some explanations on the forum assume a pretty deep level of experience, which I don't yet have.
I did consider what you suggested, but it's not really practical for me to be logging in and out of the guest network so I can use devices on it on a daily basis myself. I do want the audio and netflix to be controllable from my smart home, and so keen to have those on the IOT network. The situation is that this is my home, but that I'm having airbnb guests here at times when i'm away, so I wish to limit what they can do, and not have to continually change multiple device passwords as it could be a couple of times a week at times, and I may not always be around to do that.
 
bennor said:
When you setup a Guest Network Pro Profile like IoT, it gives you the option to enable or disable Use same subnet as main network. If you enable that option then all client devices connected to that Guest Network Pro Profile will use the same IP subnet range as the main entwork LAN and should be able to access those main LAN client.

Like indicated previously if you need specific network devices on the main LAN to be accessed when you have the Guest Network Pro Use same subnet as main network disabled then you either have to use Asus Merlin firmware and do some firewall scripting (iptables) like my prior linked examples shows. Or you have to use a device that has two network adapters, one connected to the main LAN and one to the Guest Network Pro Profile.

There have been a number of past discussions where people are trying to do the same, have segmented Guest Network Pro clients access a specific device on the main LAN network, usually for Home Automation or similar devices that reside on the main LAN but control devices on Guest Network Pro networks.
Click to expand...
Thanks Bennor - yep, I got that - your Merlin and iptables solution is sounding like the only viable option to achieve what I want so far, as it seems unlikely I could rely on each device having two network adapters. I'll need to look at it, it is just unlikely to be in time for my guests in a couple of days :) I'm just responding to ideas from others where they've mentioned things I've attempted perviously as they asked / made a suggestion, or where they've asked why not do it a different way :)
 
You must log in or register to reply here.

Similar threads

D
Guest Network Pro issues on AX86U Pro
Replies
4
Views
852
bennor
B
G
Guest Network Pro Pi Hole
Replies
14
Views
1K
degrub
D
B
AX11000 Pro IoT Network Issue
Replies
1
Views
516
bbunge
B
O
Guest network pro firmware on dsl ax82u
Replies
4
Views
641
octopulse
O
L
Guest Network Pro and Binding
Replies
0
Views
488
leventozler
L
Similar threads
Thread starter Title Forum Replies Date
X Install asuscomm on new Asus RT-AX86U Pro ASUS AX Routers & Adapters (Wi-Fi 6/6e) 14
joebloogs Solved Unable to reach RT-AX86U Pro from my devices using Asus iOS app... ASUS AX Routers & Adapters (Wi-Fi 6/6e) 2
R Q on using Asus EBG15 as router and AX86U Pro as AP ASUS AX Routers & Adapters (Wi-Fi 6/6e) 11
B Can ASUS RT-AX86U PRO send WOL packets to a specific device? ASUS AX Routers & Adapters (Wi-Fi 6/6e) 5
D ASUS RT-AX86U Pro and Ooma issue ASUS AX Routers & Adapters (Wi-Fi 6/6e) 17
Spartan Which router should be the main? ASUS RT-AX86U Pro vs GT-AX6000 ASUS AX Routers & Adapters (Wi-Fi 6/6e) 4
S ASUS RT-AX86U Pro - WAN NAT is broken for non-main VLANs! ASUS AX Routers & Adapters (Wi-Fi 6/6e) 6
D New ax86u pro Asus, firmware 3006 or merlin 3004 ASUS AX Routers & Adapters (Wi-Fi 6/6e) 4
A Command Line Questions for Stock ASUS Firmware - RT AX86U Pro and DDNS ASUS AX Routers & Adapters (Wi-Fi 6/6e) 2
E ASUS RT-AX86U AP Isolation stuck on, even after factory reset and installing Merlin ASUS AX Routers & Adapters (Wi-Fi 6/6e) 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,054 (members: 15, guests: 1,039)
Back
Top