ASUSWRT 386 new guest network IP space and DHCP static IPs

[derek87]

i am reading this thread with great interest as i just happened up it and the problems you guys are seeing might actually be a benefit for my usage. i'm currently still on 384.19 Merlin for a router (1900P) and access point (68u). with that older firmware, the guest network on the AP cannot be isolate from the intranet which is not the way i would want it to operate. i'd like to keep my IoT devices on the guest network so they can't touch my main network or my other devices.

can anyone show me the guest network "setting screen" for 386? is there a check box that allows me to disable intranet access for guest network devices? (that doesn't exist in 384 in AP mode, but it does exist as an option for the guest network on my main router)

thanks for sharing your experiences. if its a workable option (i was waiting for Merlin 386 to hit final release), i may upgrade my AP to the standard Asus firmware (386) and leave my router operating with 384.19 Merlin.

 

[bbunge]

i am reading this thread with great interest as i just happened up it and the problems you guys are seeing might actually be a benefit for my usage. i'm currently still on 384.19 Merlin for a router (1900P) and access point (68u). with that older firmware, the guest network on the AP cannot be isolate from the intranet which is not the way i would want it to operate. i'd like to keep my IoT devices on the guest network so they can't touch my main network or my other devices.

can anyone show me the guest network "setting screen" for 386? is there a check box that allows me to disable intranet access for guest network devices? (that doesn't exist in 384 in AP mode, but it does exist as an option for the guest network on my main router)

thanks for sharing your experiences. if its a workable option (i was waiting for Merlin 386 to hit final release), i may upgrade my AP to the standard Asus firmware (386) and leave my router operating with 384.19 Merlin.

Your best bet is to change the AC68U from an access point to an AiMesh node. With that you can have one 2.4 GHZ and one 5 GHZ guest WIFI that is extended from the router to the mesh and it can be isolated from the LAN. I am currently running an AC66U_B1 router with AC68U mesh node in a small office with a 2.4 GHZ on both. Works very well!

 

[derek87]

Your best bet is to change the AC68U from an access point to an AiMesh node. With that you can have one 2.4 GHZ and one 5 GHZ guest WIFI that is extended from the router to the mesh and it can be isolated from the LAN. I am currently running an AC66U_B1 router with AC68U mesh node in a small office with a 2.4 GHZ on both. Works very well!

thanks. i may ultimately do this when Merlin gets updated to 386. but i'm hoping someone out there can confirm what the setting options are for the guest network on a standard AP mode for the 68u. i know AIMesh2.0 is supposed to be a big improvement over 1.0, but i've had great success in terms of wifi performance using a standard Router + AP ... handoffs are fast enough and i get great performance everywhere in the house. my only interest right now is protecting my network from the IoT devices. i can do that keeping the guest network on the main router, but i'd prefer to give all of those duties to the AP if possible.

 

[bbunge]

thanks. i may ultimately do this when Merlin gets updated to 386. but i'm hoping someone out there can confirm what the setting options are for the guest network on a standard AP mode for the 68u. i know AIMesh2.0 is supposed to be a big improvement over 1.0, but i've had great success in terms of wifi performance using a standard Router + AP ... handoffs are fast enough and i get great performance everywhere in the house. my only interest right now is protecting my network from the IoT devices. i can do that keeping the guest network on the main router, but i'd prefer to give all of those duties to the AP if possible.

Well, a guest WIFI on an AP can not be isolated from the LAN. Even under the 386 firmware code. With AiMesh 2.0 you can sync the guest network to the nodes from the router and maintain isolation from the LAN.

 

[jplw]

i am reading this thread with great interest as i just happened up it and the problems you guys are seeing might actually be a benefit for my usage. i'm currently still on 384.19 Merlin for a router (1900P) and access point (68u). with that older firmware, the guest network on the AP cannot be isolate from the intranet which is not the way i would want it to operate. i'd like to keep my IoT devices on the guest network so they can't touch my main network or my other devices.

can anyone show me the guest network "setting screen" for 386? is there a check box that allows me to disable intranet access for guest network devices? (that doesn't exist in 384 in AP mode, but it does exist as an option for the guest network on my main router)

thanks for sharing your experiences. if its a workable option (i was waiting for Merlin 386 to hit final release), i may upgrade my AP to the standard Asus firmware (386) and leave my router operating with 384.19 Merlin.

Here is the setting dialog for Guest network #3. I have already set up #1 so I can no longer show that screen without messing up my network. In 386, Guest Network #1 is special in that it has an addtional setting to specify that the Guest network should appear on all nodes connected via AiMesh. So yes, you can disable intranet access...and that works in that the Guest client cannot access the main network.

 

[ATLga]

Post 1881 shows the additional drop down box that JPLW is referring to for guest #1...

Beta - ASUSWRT 386 RC2 public beta with full functions AiMesh 2.0

RC2-9 dirty upgrade from RC2-8 RT-AC86U + RT-AC68u. QoS - WAN/LAN Bandwidth Monitor not work

www.snbforums.com

 

[Ddv]

Hi! Recently, I have no internet access on the guest network (GN1 on AC86U). This has never been an issue before, so I believe the latest firmware is the culprit. When I connect my Android phone to the GN it connects to the AC86U's Wi-Fi but no internet (phone shows a Wi-Fi icon with an exclamation mark). GN1 IP is in the 192.168.101.xxx range. I have an internet connected IoT device with a fixed IP (192.168.1.xxx range) on GN2, which works fine. This topic is the closest I've come to narrowing down the problem, but I'm not sure if the new IP ranges have anything to do with it. Hope you can point me in the right direction! Any ideas?

 

[azbruno]

I updated the latest firmware yesterday and discovered this issue, which has had me most confused all day until I read this thread. Now, I'm just as confused although in a different way.

I have an RT-AC88U, in Wireless Router mode. I have no other routers in the system. I had one 2.4GHz and one 5GHz guest networks. In the Wireless settings, I enabled the Wireless MAC filter and enter the MAC addresses of all my devices (laptops, phones, iPads, TVs, streaming sticks). If it isn't mine, it does not get in. Also, I hide the SSIDs and have good passwords. In the Guest Networks, I enabled the MAC filters and had the MAC addresses of devices that I want isolated from my main network. Access Intranet is disabled. I also manually assigned IP address for all my devices.

All this worked fine before this update. Now I see that the IP addresses on the Guest networks were in the 192.168.101.xxx range for 2.4GHz guest and 192.168.102.xxx for the 5GHz guest. My manual IP assignments no longer worked on the guest networks. I ended up creating a second guest for each band and it works as expected with IP addresses in the 192.168.1.xxx range and manual assignments work. Access Intranet is disabled on all 4 guest networks.

I can live with this. But my questions is... when a device is connected on a guest network Access Intranet disabled, is that device unable to see the devices on my main network or other guest networks? And vice versa, can the devices on my main network see any of the devices on the guest networks? Is it different for the first guest network vs the second? When I run the Avast WiFi inspector from my LAN connected PC, it identifies all the devices connected on the second guest networks. After the reset, I left the first guest network without MAC filtering, but I could not connect to it with the SSID hidden so I have not tested the visibility on that network yet.

 

[L&LD]

The main (first) Guest networks are using different subnets for a reason (they 'now' work to properly isolate clients you don't want on your internal network).

Some points for you to ponder:

• Hidden SSID's only cause issues for your clients to connect. No protection is offered.
• Mac Address filtering is right up there with hidden SSID's. No protection against unwanted devices connecting to your network.
• Even with the above, if someone wants to get into your WPA2 protected Wi-Fi network, they will.
• Therefore: don't make it harder, just for yourself.

 

[bbunge]

What L&LD wrote is not exactly true. The IP subnet assignment of the first guest WIFI for each band (2.4 and 5 GHZ) is to allow the guest WIFI to be propagated to the mesh nodes. In actual practice this works very well. I have an AC66U_B1 router and an AC68U mesh node with guest WIFI working in a small office environment.
While I have not finished testing this next part, it is possible to use a wired access point set to an IP address in the 192.168.101.x or 192.168.102.x range off of an Asus router with 386 codebase firmware and guest wifi 1 enabled to extend the reach of the guest 1 WIFI. The issue is that currently the router dnsmasq can dynamically assign any IP address in the 192.168.101.x or 192.168.102.x range. So, the potential for an IP address conflict exists. There are NVRAM settings to control the DHCP settings for the guest WIFI but I have not taken the time to sort them out.

 

[L&LD]

@bbunge that is an interesting idea. But I don't think that a different subnet is required to propagate Guest Wi-Fi to AiMesh nodes though?

 

[bbunge]

@bbunge that is an interesting idea. But I don't think that a different subnet is required to propagate Guest Wi-Fi to AiMesh nodes though?

Was not talking about using an AiMesh node (another Asus router). My theory involves any access point, any brand as long as the access point is assigned an IP address in the 192.168.101.0/24 or 192.168.102.0/24 range. The AP would need to have the SSID and other settings done beforehand.
And yes, to propagate the guest WIFI to AiMesh nodes you have to use guest WIFI 1 in each band. Guest WIFI 2 and 3 will be resident on the router only.

 

[L&LD]

I agree that Guest 1 on both bands is needed to be seen on the nodes (that is how Asus programmed them), but that doesn't necessarily mean that a different subnet is needed to propagate those Guest networks to the node either.

I don't think that simply setting up a non-AiMesh AP and using it to connect to the Guest network will keep those clients isolated. Would love to be proved wrong though.

In any case, the subnets are used to isolate the Guest (1) Networks more effectively, vs. what Asus was doing before.

 

[ColinTaylor]

Was not talking about using an AiMesh node (another Asus router). My theory involves any access point, any brand as long as the access point is assigned an IP address in the 192.168.101.0/24 or 192.168.102.0/24 range.

That's a very interesting theory and I can see why that might actually work. However, it would not be the access points themselves that would have the 192.168.101/102 addresses but the clients connected to them. So the challenge would be how to create a DHCP system that assigned the appropriate IP addresses to the relevant clients. Remember that the access points themselves are mostly transparent devices (like switches).

 

[bbunge]

That's a very interesting theory and I can see why that might actually work. However, it would not be the access points themselves that would have the 192.168.101/102 addresses but the clients connected to them. So the challenge would be how to create a DHCP system that assigned the appropriate IP addresses to the relevant clients. Remember that the access points themselves are mostly transparent devices (like switches).

No, an access point will need an IP address, subnet mask and gateway. Set your Asus router to AP mode, plug in an Ethernet cable and the router, now in AP mode will get an IP address. You do have the option to do DHCP at the AP or static at the AP (not reserved or assigned by the router). Yes, the WIFI clients that connect to the AP will also get 192.168.101/102.x IP addresses that are assigned via DHCP by the router.
Guess I'll have to do the honey-do projects early tomorrow then get busy testing this...

 

[ColinTaylor]

No, an access point will need an IP address, subnet mask and gateway. Set your Asus router to AP mode, plug in an Ethernet cable and the router, now in AP mode will get an IP address. You do have the option to do DHCP at the AP or static at the AP (not reserved or assigned by the router). Yes, the WIFI clients that connect to the AP will also get 192.168.101/102.x IP addresses that are assigned via DHCP by the router.
Guess I'll have to do the honey-do projects early tomorrow then get busy testing this...

Sorry, I wasn't suggesting that the access points would not have any IP information set for them. Of course they would need that just like any other host does. But my point was that you are trying to isolate the clients, not the management interface of the access point.

 

[DarkWolfSLV]

Very interesting! Unfortunately I do not have the 386 version yet so I cannot test myself so I'll ask here.

I like the idea of proper isolation with new subnets and like everyone here has mentioned, this is desired to isolate IOT devices, but what about wired devices? I would like to put my wired Raspberry Pi on the Guest (192.168.101.x) network and if possible I'll prefer to have a single subnet for 2.4Ghz and 5Ghz.

 

[webdriver]

Very interesting! Unfortunately I do not have the 386 version yet so I cannot test myself so I'll ask here.

I like the idea of proper isolation with new subnets and like everyone here has mentioned, this is desired to isolate IOT devices, but what about wired devices? I would like to put my wired Raspberry Pi on the Guest (192.168.101.x) network and if possible I'll prefer to have a single subnet for 2.4Ghz and 5Ghz.

I came up with same question ... but I doubt it is doable. Most wired device come through switch in-between node and main router/AP. You have to have managed switch to specific VLAN port otherwise they can't get GUEST ip address.

 

[KsWoodsMan]

@bbunge that is an interesting idea. But I don't think that a different subnet is required to propagate Guest Wi-Fi to AiMesh nodes though?

Maybe it isn't a requrement but it does seem to simplify IP based management for dns , firwewall rules and bandwith shaping in QOS.
In 386, I can now enable QOS and still manage to give the first guest networks subnet a thin slice of bandwidth with a set ceiling rate.

My feelings wouldn't be hurt if ASUS extended multiple subnets to the rest of the Guest Networks.
But mesh nodes, using a wireless backhaul, would still have no more than 2 guest networks per band available.

 

[TonyL]

So like others I was surprised to see the additional subnet when I first started digging into my XT8 system. After reading here I am growing more comfortable with the setup. However, now I want it to be extended to guest 2 at least. Reason being is I have always kept 2 separate guest networks...one for IOT and one for people to join when they visit. The IOT has strong password requirement while the second is an easy to remember password so the kids can share with their friends.

My setup is XT8-router upstairs with AP on main floor downstairs. Some IOT upstairs and some down. So right now IOT is on Guest 2 with only connectivity to upstairs router which is working, and the guest visitor is on the guest 1 with new subnet shared between router and AP. Would be perfection if I could have the IOT devices do the same in another subnet. Alternative I guess is to have Guest 1 2.4g be IOT and 5g be for visitors and get rid of guest 2. Thoughts?