(BUG) Gest Network 2 able to access Intranet even when access is disabled

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

nikr

Regular Contributor
I am using Guest network 2 for all (untrusted ones) my IOT devices with Intranet access disabled. Today I just discovered that a laptop connected to this (Guest 2) network can access all intranet devices except for router itself. By access I mean ping and pull up web interface of devices connected to main network. Guest network 1 seems to be working as expected. Anybody else seeing this issue? Any work around?
I am running Latest firmware "3.0.0.4.386_42095" on ax86u.

edit: updated title after bug is confirmed by bbunge. I've summited feedback to Asus. I would suggest others to do the same. Lets hope it gets fixed in next release.
 
Last edited:

bbunge

Part of the Furniture
Confirmed OP claim.
Guest network 2 can access devices on LAN.
Guest network 1 is OK.
My test done with Merlin 386.2.
 

nikr

Regular Contributor
Update on this bug.

There is something funky going on with firewall rules. It seems sometimes it gets applied sometime it does not. Sometimes toggling intranet access from UI works sometime you'll have to reboot router for it to take effect and sometimes neither of them works.

And then there are situations when all the guest networks are isolated and you reboot router and all of a sudden guest network can access access intranet including router UI even though intranet access is disabled.

And finally the state it is in right now. I can ping all the devices in Guest network #1, but they cannot ping any other devices in any other network.

I have nothing special going on with my configuration. I've factory defaulted it yesterday, am on latest official build.
 

azbruno

Occasional Visitor
I just did a little experiment on my RT-AC88U running firmware version 3.0.0.4.386.41700.

All devices on my ethernet or wifi connected home network have IP addresses 192.168.1.xxx. Using a laptop I connected to the guest network index 1 and the IP is 192.168.101.xxx. If I connect it to the guest network index 2 the IP is 192.168.1.xxx. Both guest networks disable Intranet.

In both cases, with Network Discovery turned on in Windows on the laptop it is able to see my local PC from the Windows network view. This was not expected. But when I tried to access shared folders on my PC from the laptop on either of the guest networks, it failed to access the folders.
 

bbunge

Part of the Furniture
I just did a little experiment on my RT-AC88U running firmware version 3.0.0.4.386.41700.

All devices on my ethernet or wifi connected home network have IP addresses 192.168.1.xxx. Using a laptop I connected to the guest network index 1 and the IP is 192.168.101.xxx. If I connect it to the guest network index 2 the IP is 192.168.1.xxx. Both guest networks disable Intranet.

In both cases, with Network Discovery turned on in Windows on the laptop it is able to see my local PC from the Windows network view. This was not expected. But when I tried to access shared folders on my PC from the laptop on either of the guest networks, it failed to access the folders.
First, you should be using firmware 9.0.0.4.386.41994

I set up a fresh install of Windows 10 on an AC capable laptop. Connected to my Guest 1 on 2.4 GHz. Could not access any resources on the main LAN. Tried SMB shares, browsed for other PC's and tried to access the router. Could not connect to anything except the internet. I suspect something is wonky with your PC or router setup. But I agree that there are issues with Guest 2 and 3 isolation from LAN/Intranet.
 

azbruno

Occasional Visitor
@bbunge, why should I be using beta firmware 9.0.0.4.386.41994?

Setting Control panel->Network and Sharing Center->Advance sharing settings->Turn on network discovery allowed the laptop on the guest network to see the existence of the other PC on the LAN but not able to see any shared folders on that PC. With Network Discovery off I could not see anything on the LAN. How was it set on your laptop when you ran your test? I'm not sure there is anything wonky or wrong with my setup... but I'm not a network expert so I come here to gain a bit more insight as I can.

I my case I use Guest Network 1 for real guests. Guest Network 2 is for my streaming devices and satellite box.
 

nikr

Regular Contributor
When intranet access is disabled, Guest network should be totally isolated, period. No matter how your PC is setup.
Here is what I think is happening (at least in my case), After all the interfaces are up, router applies iptables rules to isolate guest network (based on what you've selected on UI). and for some reason for some of us those rules are messed up and do not get applied properly all the time. I've factory defaulted my router few times, and this problem seems to return almost every time.

Could it be that it only happens to those using two guest networks. I also have guest #1 for Regular guests and Work PCs and Guest #2 for IOT devices. It also seems to be affecting only few users. Or it could be that its wide spread and people are just assuming the there guest networks are isolated.
 

bbunge

Part of the Furniture
@bbunge, why should I be using beta firmware 9.0.0.4.386.41994?

Setting Control panel->Network and Sharing Center->Advance sharing settings->Turn on network discovery allowed the laptop on the guest network to see the existence of the other PC on the LAN but not able to see any shared folders on that PC. With Network Discovery off I could not see anything on the LAN. How was it set on your laptop when you ran your test? I'm not sure there is anything wonky or wrong with my setup... but I'm not a network expert so I come here to gain a bit more insight as I can.

I my case I use Guest Network 1 for real guests. Guest Network 2 is for my streaming devices and satellite box.
Use the beta firmware because of the dnsmasq vulnerability in the prior versions.

Yes, I had file and printer sharing enabled. I moved the laptop over to my "main" WIFI and all the LAN clients showed up.
 

azbruno

Occasional Visitor
Use the beta firmware because of the dnsmasq vulnerability in the prior versions.

Yes, I had file and printer sharing enabled. I moved the laptop over to my "main" WIFI and all the LAN clients showed up.
File and printer sharing is a different setting from Network discovery. Was Network discovery on or off?

I guess I need to see what dnsmasq is about.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top