Can you seperate traffic on Asus RT-AC86U?

Alpine_Messi

Occasional Visitor
Hi all,

First post in the forum, hello there!

I am looking at replacing my Virgin Media Superhub with an Asus AC86U, and am wondering if on this router it's possible to seperate traffic for IoT devices such as cheap chinese smart bulbs and switches, so they can only access the internet, and not the rest of my LAN please?

Kind regards.
 

bbunge

Part of the Furniture
Sure. Asus does have Guest 1, 2 and 3 WIFI. All can have just internet or internet and intranet access. Guest 1 will assign an IP address different from the LAN address range.
 

OzarkEdge

Part of the Furniture
Hi all,

First post in the forum, hello there!

I am looking at replacing my Virgin Media Superhub with an Asus AC86U, and am wondering if on this router it's possible to seperate traffic for IoT devices such as cheap chinese smart bulbs and switches, so they can only access the internet, and not the rest of my LAN please?

Kind regards.

You can define guest1,2,3 2.4 and 5.0 GHz WLANs (6 total) and not enable intranet (LAN) access to restrict those clients to Internet access only. Only guest1 WLANs will sync to wired/wireless AiMesh nodes. If the router is set to AP Mode and wired to the LAN, then no guest WLANs will be isolated from the LAN.

Typical guest WLAN configuration looks like this:

Screenshot 2022-03-05 082042.jpg


OE
 

ColinTaylor

Part of the Furniture
I am looking at replacing my Virgin Media Superhub with an Asus AC86U,
Just to avoid any misunderstanding, you can't "replace" the VM Hub as you still need to use it's cable modem component. However, you can bypass it's WiFi router functions (i.e. modem mode) and use the Asus for those instead.
 

eibgrad

Part of the Furniture
cheap chinese smart bulbs and switches

Switches? As in wired devices?

Let's be clear here when it comes to using the guest networks for IoT devices (or any other non guest network purposes). The guest networks *only* support wireless. There is NO wired support, which is why sometimes trying to rely on the guest networks for non guest purposes isn't the ideal solution.

Instead, you might have to use scripting to implement your own VLAN+VAP (usually based on an existing guest network interface) to achieve the desired results. Obviously this is a non-trivial task for most users, although it's been done enough times that there are threads dedicated to this approach. But AFAIK, it's all w/ Merlin, NOT oem/stock.

Of course, the other option is to configure a separate router for these purposes (for most ppl who need wired support, probably the better solution).
 

OzarkEdge

Part of the Furniture
Good point. Although the issue of wired devices still needs to be made clear.

If the OP wants to wire his light bulbs and switches, you can explain his options. :)

OE
 

Alpine_Messi

Occasional Visitor
thank you all, i was indeed talking about light switches, motion switches, etc. not network switches :D

I've got the ability to have a guest WLAN now and never even thought of it as an option, although I think it will worK, so thanks for the tip! My rt-AC86U should arrive tomorrow so i'll be trying it out.

Thanks @ColinTaylor I did realise I'll need to use the Superhub as a modem, but thanks for mentioning just in case :)

now going off to research compatible USB 3.0 flash drives for all the cool addons :cool:
 

heywire

Regular Contributor
Just an FYI: if you run the bulbs and switches on a guest network with Intranet access "Disabled" (which is the whole point here, to shield them from the primary wifi), then each unit/client will be totally isolated and not able to see and speak to each other on the network, only access the internet.

Your solution in this case is Merlin firmware plus adding the YazFi plugin, which will let you enable the clients on a guest network to see each other, while being isolated from clients on the primary network. They are on separate subnets.

A limitation with YazFi is that it is not possible to run a 2.4ghz and a 5ghz guest network SSID with the same name and have the ability to communicate across those frequency bands; clients on "SSID 1-2ghz" and "SSID-5ghz" can only talk to other clients on the respective 2.4ghz or 5ghz networks/subnets.

But the latter is probably not likely to be an issue for you, since most of the smarthome-units run exclusively on 2.4ghz anyways, and all of them support it, so a 2.4ghz Guest Network SSID with YazFi enabled will serve your purposes adequately.
 

TIm Fitz

New Around Here
Just make sure you test your guest network works as intended as can say many times it does not isolate the devices from seeing the entire network even with "Access Intranet" disabled.

There are many threads on this bug that has yet to be fixed by Asus.



Are just a few examples. I have an RT-AC68U and have never found a solution as all devices always get a network address within the main subnet. This even happens when using Guest 2 and 3 which others claim has resolved their issue.
 

eibgrad

Part of the Furniture
I have an RT-AC68U and have never found a solution as all devices always get a network address within the main subnet. This even happens when using Guest 2 and 3 which others claim has resolved their issue.

IMO, the fundamental flaw w/ ASUS when it comes to the guest networks is having them share the private network. Now isolation can only be managed at the ethernet (layer 2) level using ebtables, which is often problematic. And if you dump ebtables w/ guests enabled and intranet access denied, you'll see the problem.

Code:
ebtables -t broute -L

Here's what you get w/ guest #2 (2.4GHz) enabled and intranet access denied.

Code:
[email protected]:/tmp/home/root# ebtables -t broute -L
Bridge table: broute

Bridge chain: BROUTING, entries: 5, policy: ACCEPT
-p IPv4 -i wl0.2 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

By default, it only blocks ICMP and TCP (and specifically for the private IP network, e.g., 192.168.1.0/24). *ALL* other access is permissible, including UDP, and any other IP networks that may be reachable from the private network (e.g., an OpenVPN client and its remote network). That's why you can't isolate guests from/to the VPNs w/o a third-party solution like YazFi. The fact YazFi even exists is a tacit admission that guests networks are fundamentally flawed.

This is why I do NOT use guest networks on ASUS firmware. You're far better off to use a separate router for such purposes (ideally w/ third-party firmware so you can manage its IP firewall), daisy-chained behind the ASUS router. Now the guest network is on its own ethernet segment and isolated at the IP level using an IP firewall. And as long as configured properly, will provide far better results.

Or else you have to try to implement VLANs as described other threads. Personally, I find using additional hardware easier for most folks. It's far less technically challenging.

Anyway, this issue of guest networks has been beaten to death, so it's not like it's unknown to vets around here. But just something newbs should be aware of.

JMTC
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top