Best Practice/Settings for Current ASUS BE Firmware....

[jzchen]

I have recently set up a GT-BE98 Pro as primary router at home. It was already on the latest ASUSwrt firmware and was trying to help someone with their new setup. I find it interesting how firmware/implementation has changed over the last 2 years and 1 1/2 months. It's still a bit to handle even for the well initiated, let alone those figuring out how things work on ASUSwrt 5.0 or 6.0 from 4.0, and probably the worst for those who are completely new.

MLO is by default off. I was asked how TP-Link and ASUS compare by my contact, who I now consider a friend, over there at ASUS. TP-Link's products just work with default settings, was what pretty much what sums up my experience. After upgrading an RT-AC68U to a GT-AXE11000, then adding/upgrading to a GT-AXE16000, I had no 6E devices in the household for I'm guessing half a year. When we did get my son's MacBook Pro M2 MAX, 6 GHz did not work right out of the box. So, a month or so in, I bought a TP-Link RE815XE, and behold, it worked. Copied over the settings that were different and behold ASUS 6E worked!

I'm not sure I'm in full agreement with the default settings as provided, therefore this thread. In the beginning WiFi 7 channels were not backwards compatible with older standards, the difference AES vs AES+GCMP256. Also 6 GHz requires WPA3 (unless you want Enhanced Open which I never tried to be honest). I don't know exactly when it happened, but WiFi 7 was made backwards compatible to at least WiFi 6, if not even older. For example, even though the setting is set to WPA2/WPA3-Personal on the GT-BE19000Ai, when I go to my OnePlusOpen WiFi the security listed is WPA/WPA2/WPA3-Personal on the unique SSID I set up for it. Someone over on the ROG forum that I know has two GT-BE98 Pros running, and I guess that was prepared especially for him because he had a WPA requiring printer....

It is hard to make a blanket statement this is how best to configure the SSIDs, but I can confirm that if you Smart Connect 2.4 GHz, 5 GHz, and 6 GHz the proper WPA2/WPA3 is applied to 2.4 and 5 GHz, while WPA3 is applied to 6 GHz. You don't want WPA2 on 6 GHz, because no device running on 6 GHz uses that encryption.

If you're going to combine/aka SmartConnect all channels, then also want/enable MLO for fronthaul, at least in my opinion, move all non-WiFi 7 clients to your IoT SSID. Meaning switch Main the default WPA2/WPA3-Personal to WPA3-Personal. Change AES to AES+GCMP256. On the IoT SSID, change WPA2-Personal to WPA2/WPA3-Personal, and leave AES. You may also add 6 GHz for 6E clients for the IoT SSID...

 

[Tech9]

You don't want WPA2 on 6 GHz

And the user can actually set 6GHz band with WPA2? Wi-Fi 6E/7 requires WPA3, it's not optional.

 

[jzchen]

And the user can actually set 6GHz band with WPA2? Wi-Fi 6E/7 requires WPA3, it's not optional.

SmartConnected (all channels checked) WPA2/WPA3-Personal is allowed. I was wondering what would show in security when connected to 6 GHz.

 

[Tech9]

I was wondering what would show in security when connected to 6 GHz.

This band requires WPA3 only. It will show WPA3, otherwise the device won't be connected.

 

[jzchen]

This band requires WPA3 only. It will show WPA3, otherwise the device won't be connected.

Thanks. I definitely know about that. Just checking for possible bug. WiFi 7 and MLO also require WPA3 I was told, so WPA2 should disappear if MLO is toggled, but it is still there per another post on another thread...

 

[jzchen]

This shows for example from the Ai router:

 

[Poseidon]

MLO (5GHz and 6Ghz only, no 2.4) and Smart Connect BOTH enabled. No AiProtection either. Everything else default.

I have found this to work best for my iOS household. I get full advertised speeds up and down (wired and wireless). Reboot once every couple of weeks. No issues whatsoever.

AFC also enabled on my BE19000ai router. Working flawlessly.

 

[jzchen]

@Poseidon Thank you for sharing.

 

[GJJ]

It is hard to make a blanket statement this is how best to configure the SSIDs, but I can confirm that if you Smart Connect 2.4 GHz, 5 GHz, and 6 GHz the proper WPA2/WPA3 is applied to 2.4 and 5 GHz, while WPA3 is applied to 6 GHz. You don't want WPA2 on 6 GHz, because no device running on 6 GHz uses that encryption.

If you're going to combine/aka SmartConnect all channels, then also want/enable MLO for fronthaul, at least in my opinion, move all non-WiFi 7 clients to your IoT SSID. Meaning switch Main the default WPA2/WPA3-Personal to WPA3-Personal. Change AES to AES+GCMP256. On the IoT SSID, change WPA2-Personal to WPA2/WPA3-Personal, and leave AES. You may also add 6 GHz for 6E clients for the IoT SSID...

Just want to check that I am understanding this correctly....

ASUS suggests using an IOT/alternate network for maximum compatibility of older devices, however the way I'm reading your suggestion, is to set it up the other way around and use the alternate network for newer devices and leave the main network for everything else.

Sounds interesting and worth trying. I don't think it will fix my washing machine's current connectivity issues though, but it might stabilise or improve the rest of the network.
(Since I switched off my IOT network and therefore my washing machine is no longer connected, my BE92U has been reasonably stable, although it could be a lot better than it is.)

GJ

 

[jzchen]

Sorry I was not clear.

No, the first SSIDs it asks for is for newer devices, and the second one it asks for is older devices. I am not suggesting to flip this...

In my screenshot I made a single Main SSID with all four channels. I did not turn on MLO, because my single WiFi 7 device is my Android phone, and it only reports connecting to a single band in an MLO SSID anyways.

What is newish to me are these reports of hidden SSIDs that are created. These seem to support backwards compatibility with older WiFi standards. This did not exist 2 years ago when I first got my hand on the BE98 Pro. You had to create a "Legacy/IoT" SSID or the only thing connecting to your WiFi 7 band was WiFi 7 devices. Others would connect for a few minutes, fail to negotiate the AES+256GCMP, and drop off.

I think I did swap them at one time. I was trying to follow the TP-Link implementation of MLO on my Deco BE95, which was 5 GHz and 6 GHz only. At that time ASUS Main MLO forced you to use up all your channels together, for the BE98 Pro it was all 4. But strangely I could set it up for 5 GHz and 6 GHz in the Guest Network Pro. The results were terrible. I saw almost no WiFi clients connecting to the router. Eventually I started plastering the house with WiFi nodes....

 

[jzchen]

@GJJ Of course only if you are okay with it, have you tried connecting the washing machine to the main SSID? I have few IoTs, and unbeknown to me I had inserted network switches that were very likely detrimental to IoT networks extending to my nodes. So although I tried, I did not get very far and connect them to the Main.

Again the reason why I ask is because one can now set WPA2/WPA3-Personal and AES on the WiFi 7 SSID, even MLO I am seeing. I understand there is some sort of security concern with the practice. One of mine's a Rheem water heater, the other a Deltran car battery charger which was discontinued service just as FYI...

 

[GJJ]

@GJJ Of course only if you are okay with it, have you tried connecting the washing machine to the main SSID? I have few IoTs, and unbeknown to me I had inserted network switches that were very likely detrimental to IoT networks extending to my nodes. So although I tried, I did not get very far and connect them to the Main.

Again the reason why I ask is because one can now set WPA2/WPA3-Personal and AES on the WiFi 7 SSID, even MLO I am seeing. I understand there is some sort of security concern with the practice. One of mine's a Rheem water heater, the other a Deltran car battery charger which was discontinued service just as FYI...

Originally, I set up my router like my old AC68U and had all devices on the same network with the same settings. At the start it worked ok, but things fell apart close to the end of the year with newer fw releases.
I then set up the main network and the IOT network. At this point I realised some smart bulbs were causing havoc and crashing the 2.4GHz radio, and since I wasn't using them as smart, I bumped them off the network. The washing machine was happy for a month or 2 as the sole client on the IOT network, but it eventually got into a continuous associate, de-associate loop. No settings were changed on the router and no new FW, so I can't work out why it happened.
The rest of the devices seem to be happy, although the router goes through stages with little free memory and near 100% activity on Core 2 and then a few hours later, memory comes back to over 200MB free and Core 2 settles down to under 40% (the other 3 cores barely get past 10%. My daughter does complain that her Roblox games get choppy and slow down, but she won't let me anywhere near year computer to see if it is the computer that's the issue or the wifi that's the issue. (Happens about the same time has high activity and low memory on the router ).

My computer and the TV are on ethernet, so my wife and I are happy.

We have one old iPhone and iPad that are on the main wireless network and I had thought about bumping them to the alternate network before I read your post. They work, but could things be better?

Anyway, your suggestions make sense and are worth trying when I get the time. If they make a positive difference, then good. If they don't change anything or it's worse, then I can just go back to the way it is now.

GJJ

 

[Tech9]

at least in my opinion, move all non-WiFi 7 clients to your IoT SSID

Not sure how is this in "best practice" category, but doing so will cut off the communication between Wi-Fi 7 and non-Wi-Fi 7 devices. Your Wi-Fi 7 laptop can't use the printer anymore as example. Also why not leave Wi-Fi 6E devices on the 6GHz WPA3 main network in your suggested configuration? They also require WPA3 only. I find your configuration and suggestions limiting the user experience.

If it's so big of a problem setting up this ASUS router by a regular consumer - your observation "TP-Link just works" is perhaps the best pointer what to do next. Your friend at ASUS perhaps wasn't very happy to hear about your better experience with products made by major competitor.

 

[GJJ]

Not sure how is this in "best practice" category, but doing so will cut off the communication between Wi-Fi 7 and non-Wi-Fi 7 devices. Your Wi-Fi 7 laptop can't use the printer anymore as example. Also why not leave Wi-Fi 6E devices on the 6GHz WPA3 main network in your suggested configuration? They also require WPA3 only. I find your configuration and suggestions limiting the user experience.

That's not how it seems to work. These "networks", as they labelled in the router UI, aren't VLANs, they are "different" wifi networks with different settings required to connect to the router. Connecting to network A, gives you just as much access to the router and other devices on the network, as it does when connecting to network B. The difference is that network A is configured to one set of wifi connection parameters, while network B is configured for a different set of wifi connection parameters. How the hell 1 radio is supposed to support 2 different network configurations simultaneously, without screwing it all up, idk, but this is what it is supposed to do.

If it's so big of a problem setting up this ASUS router by a regular consumer - your observation "TP-Link just works" is perhaps the best pointer what to do next. Your friend at ASUS perhaps wasn't very happy to hear about your better experience with products made by major competitor.

Yeah it is a bit strange and it should "just work", but this seems to be ASUS's convoluted work around for whatever the problem they have with WiFi 7. You're right, for a consumer product, this idea is sub par and the device should "just work" out of the box for almost 100% of customers and almost 100% of devices: this is what standards are meant for! As you may have guessed from my previous posts, I don't mind screwing around with settings to customise the setup for me, so I don't mind this kind of stuffing around and find it a type of challenge to get the device working well. (I'd also probably be the last one on the Titanic, saying, "I can fix it! I can fix it!", but that's just me.)

GJ

 

[Tech9]

That's not how it seems to work. These "networks", as they labelled in the router UI, aren't VLANs, they are "different" wifi networks with different settings required to connect to the router.

I'm looking at the screenshot @jzchen attached. In the description it says clearly "Easily separate a network for your IoT devices". If the description is correct - it's a separate network and not just different SSID. I know the terms on consumer devices are sometimes used with different meaning, but on every SMB equipment when you create a new Network one of the first questions is to select VLAN ID. ASUS moved to similar Network configuration method in 3006 firmware (select models, GT-BE98 Pro included) and I expect the same meaning resulting in no communication between Wi-Fi 7 and non-Wi-Fi 7 devices as per @jzchen suggestion. Far from convenient on a home network.

 

[jzchen]

Not sure how is this in "best practice" category, but doing so will cut off the communication between Wi-Fi 7 and non-Wi-Fi 7 devices. Your Wi-Fi 7 laptop can't use the printer anymore as example. Also why not leave Wi-Fi 6E devices on the 6GHz WPA3 main network in your suggested configuration? They also require WPA3 only. I find your configuration and suggestions limiting the user experience.

If it's so big of a problem setting up this ASUS router by a regular consumer - your observation "TP-Link just works" is perhaps the best pointer what to do next. Your friend at ASUS perhaps wasn't very happy to hear about your better experience with products made by major competitor.

It's kind of obvious with your tone towards ASUS products, that you haven't set up a ASUS WiFi 7 system for any of your customers. There's this saying, "the customer is always right", although I find any one human being can't always be right...

BUT you might broaden your customer base if you were willing to set up one of these ASUS systems for your customers....

The Legacy/IoT network is in the same subnet as the main network. There is no option to select same or not same aka VLAN. Again how they get a implement a hidden SSID that helps to make backwards compatibility is proprietary. It is there say hidden, and the exact same specs as your main SSID. They did not used to be there, but from sniffing around with Network Analyzer ASUS isn't the only one....

Just like you can enable allow access to main network, or use same subnet as main network option when creating an SDN.....

 

[Tech9]

for your customers...

The good thing - my businesses are unrelated to equipment installation. I do have a business with equipment destruction though. With your free router... one day when you have enough... I may provide guidance how to proceed... with customized satisfaction levels.

 

[jzchen]

I'm looking at the screenshot @jzchen attached. In the description it says clearly "Easily separate a network for your IoT devices". If the description is correct - it's a separate network and not just different SSID. I know the terms on consumer devices are sometimes used with different meaning, but on every SMB equipment when you create a new Network one of the first questions is to select VLAN ID. ASUS moved to similar Network configuration method in 3006 firmware (select models, GT-BE98 Pro included) and I expect the same meaning resulting in no communication between Wi-Fi 7 and non-Wi-Fi 7 devices as per @jzchen suggestion. Far from convenient on a home network.

The initial setup of this particular router, the GT-BE98 Pro, with the latest firmware, asks for a SSID or SSIDs for individual channels. It then asks for an IoT SSID. These are on the same subnet per my understanding. The main SSID and IoT SSID are not separate (VLAN) and you make a good point that it implies that it is...

There's very likely a language barrier going on here. It's thinking in Chinese and translating to English. The problem is also partly English is egocentric. If you don't try to be understanding it is clearly gonna be a problem....

Or you could say that saying they were wrong to say it that way is not best practice...

 

[jzchen]

@GJJ The setup of the Main and IoT SSIDs does seem to encompass all possible WiFi devices. This is not why I posted this thread. It was to discuss if it could be made better by adjusting this, or that, while keeping that same level of compatibility.

MLO is default turned off, and disabled it seems by the multi toggle process needed to get it to work...

I believe the first SSID(s) are set as:
WPA2/WPA3-Personal, AES
The IoT SSID:
WPA2-Personal, AES

Yet for the Main SSID WiFi 7 is noted, I assume that simply means 4k QAM is available. (MLO was not even an option, similar to AFC, in the initial release firmware. When it was released, the MLO network was only compatible with WiFi 7 devices)...

So I checked to make sure that 2.4 GHz and 5 GHz are properly WPA2/WPA3-Personal (aka transitional) and 6 GHz is WPA3 only as that is it's specific operating mode besides Enhanced Open.

I am curious if rearranging the initial setup would be "best practice"

I shifted IoT to Legacy IoT settings
WPA2/WPA3-Personal, AES
I shifted the Main SSID
WPA3-Personal, AES+GCMP256

Maybe this is helpful to some, (which would be great), and I am grateful if anyone shares what works for them...

 

[Tech9]

I still believe IoT Network is something separate. This is what GUI description says as well. People tend to isolate IoT devices from their Main Network and ASUS somewhat automated the process. If ASUS means something else by setting up IoT Network - it's rather strange.