That makes sense, thanks for solving the mystery.
That makes sense, thanks for solving the mystery.
Jack Yaz
Part of the Furniture
It will allow various choices, I just haven't settled on the preferred implementation to make it easy for users to set up. Once I have, I'll get going with the development
Still settling in to a new job which has stifled development energy somewhat!
It will allow various choices, I just haven't settled on the preferred implementation to make it easy for users to set up. Once I have, I'll get going with the development
Still settling in to a new job which has stifled development energy somewhat!
Hey Jack,
did you perhaps managed to finish this implementation?
phedoreanu
New Around Here
Jack Yaz
Part of the Furniture
Specific hosts, no, not yet. I did implement "one way" access however.
amplatfus
Senior Member
Hi,
Could you please share the "one way" method? I have a AC88U and editing VLAN is not working because there's no way to configure VLANs on the Realtek switch.
I want to restrict LAN 1 to router IP (80 port, ssh, telnet...) all TCP if possible.
Thank you,
amplatfus
eibgrad
Part of the Furniture
What I have to add is probably a bit controversial, but I'll say it anyway.
The problem as I see it is that the OP wants to manage guest/IOTs networks in a way that is antithetical to the Merlin design.
In the world of guest/IOT management, you have two typical strategies. You either keep guests/IOT on the *same* network interface (and by definition, the same IP network) and manage access between them and the private network at the ethernet level (ebtables, tagging, etc.), OR, you keep them on separate network interfaces using *different* ethernet and IP networks, then firewall the guest/IOT networks from the private network at the IP level.
Each strategy has its advantages and disadvantages.
When everyone is using the same network interface, you're depending on the router to manage policies to maintain separation, as I said, either w/ ebtables and/or tagging, and even AP isolation. In some ways, it's simpler to understand. But some ppl then want to manage individual access between devices. And they may not like the idea of guest/IOT devices being able to "see" devices on the private network (even if they are denied access). On the plus side, network discovery works normally.
When guest/IOT and the private networks are using different network interfaces (which is how tomato and dd-wrt work), you have the option to work w/ the IP firewall and iptables to manage that separation. However, network discovery is lost between those network interfaces unless you install and configure Avahi (usually via Entware) to regain it.
So to my mind, you're dealing w/ two different philosophies here. And something like YazFi (if I understand it correctly when it comes to this issue) is just returning Merlin to its roots (tomato). And if that's the case, then why bother w/ Merlin +YazFi at all? Why not just go back to tomato (e.g., FreshTomato)?
I don't want to be misunderstood here. I'm not claiming one strategy is necessarily better than the other. What I'm saying is that Merlin has made a decision as to how he wants his firmware to work based on his own considerations/preferences. To then have something like YazFi undo that and return the router to the more traditional means of managing guest/IOT networks just doesn't make sense. Again, why not just return to where it all began; tomato! If there's such a clamor for this return (even to the point that YazFi would be integrated into Merlin), it calls into question the original decision to NOT have the guest/IOT networks on separate network interfaces.
JMTC
P.S. I'm far from from being an expert on Merlin. My expertise is much more w/ tomato and dd-wrt. So it's entirely possible I'm missing some key points here. This is just my observation of Merlin and its differences w/ tomato and dd-wrt from a distance.
The problem as I see it is that the OP wants to manage guest/IOTs networks in a way that is antithetical to the Merlin design.
In the world of guest/IOT management, you have two typical strategies. You either keep guests/IOT on the *same* network interface (and by definition, the same IP network) and manage access between them and the private network at the ethernet level (ebtables, tagging, etc.), OR, you keep them on separate network interfaces using *different* ethernet and IP networks, then firewall the guest/IOT networks from the private network at the IP level.
Each strategy has its advantages and disadvantages.
When everyone is using the same network interface, you're depending on the router to manage policies to maintain separation, as I said, either w/ ebtables and/or tagging, and even AP isolation. In some ways, it's simpler to understand. But some ppl then want to manage individual access between devices. And they may not like the idea of guest/IOT devices being able to "see" devices on the private network (even if they are denied access). On the plus side, network discovery works normally.
When guest/IOT and the private networks are using different network interfaces (which is how tomato and dd-wrt work), you have the option to work w/ the IP firewall and iptables to manage that separation. However, network discovery is lost between those network interfaces unless you install and configure Avahi (usually via Entware) to regain it.
So to my mind, you're dealing w/ two different philosophies here. And something like YazFi (if I understand it correctly when it comes to this issue) is just returning Merlin to its roots (tomato). And if that's the case, then why bother w/ Merlin +YazFi at all? Why not just go back to tomato (e.g., FreshTomato)?
I don't want to be misunderstood here. I'm not claiming one strategy is necessarily better than the other. What I'm saying is that Merlin has made a decision as to how he wants his firmware to work based on his own considerations/preferences. To then have something like YazFi undo that and return the router to the more traditional means of managing guest/IOT networks just doesn't make sense. Again, why not just return to where it all began; tomato! If there's such a clamor for this return (even to the point that YazFi would be integrated into Merlin), it calls into question the original decision to NOT have the guest/IOT networks on separate network interfaces.
JMTC
P.S. I'm far from from being an expert on Merlin. My expertise is much more w/ tomato and dd-wrt. So it's entirely possible I'm missing some key points here. This is just my observation of Merlin and its differences w/ tomato and dd-wrt from a distance.
Similar threads
Similar threads
Similar threads
-
Asus 2.4Ghz auto control channel chooses suboptimal channels
- Started by MKLBNS
- Replies: 8
-
-
Asus Router Not Accessible, No Access to LAN, Yet passes Internet
- Started by joeschmuck
- Replies: 20
-
-
-
RT-BE92U LAN issue after upgrading to the latest firmware
- Started by ashishrc
- Replies: 13
-
Discover IoT device from HASS on Main LAN to Guest Network
- Started by mr_planet
- Replies: 11
-
Can Guest Network Pro (guest network #1) use a DNS server which is located in the main LAN?
- Started by Rici
- Replies: 7
-
-
Cannot access lan on AX-86U through Hub and Spoke wireguard
- Started by Asus79
- Replies: 18
Latest threads
-
Is there a paid version of Adguard that has more up to date protection
- Started by Notconnected
- Replies: 3
-
Interesting MAC address allocation on RT-AC3200
- Started by vibroverbus
- Replies: 0
-
-
-
Release ASUS ZenWiFi BT10 Firmware version 3.0.0.6.102_39110 (2026/04/02)
- Started by fruitcornbread
- Replies: 2
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!