Guest Network always is open to LAN on ASUS RT-AC87U

[digital68]

We have 3 Asus RT-AC87U conected by wire, we try all kind of setups to avoid this problem with no solution.

The Guest Network uses the same IP Range of the LAN instead of a subnet so the UBS Drives, Printers and Computers on the LAN Network are always visible form the Guest Network Users even if you disable the Intanet, in few words the Disable Access to Intranet does not work. The Lan (Main) Network it is always gives access to all the Guest Network Users.

We try setting them up as Routers - no fix the problem
We try setting them up as AP Mode- no fix the problem
We try setting them up as Bridge - no fix the problem and is even worse because evrithing runs under the 5G

People are printing on our printers from their personal cell phones and tablets. They also have access to our file server.

How could I fix this problem?

 

[RMerlin]

Guest isolation only works on the primary router. It doesn't work on access points because that one has no way of controlling access to the rest of the LAN (only the main router does). And setting multiple devices in router modes won't work either, because once again, once you go upstream from the router to which you are connected, the other router will have no way of knowing if a client is supposed to be allowed access to the rest of the LAN or not.

Your only solution is to have one router, a couple of addittionnal access points, and implement VLANs to isolate those guests from the rest. Or to move to business-class devices which are designed for those kind of setups.

 

[digital68]

Guest isolation only works on the primary router. It doesn't work on access points because that one has no way of controlling access to the rest of the LAN (only the main router does). And setting multiple devices in router modes won't work either, because once again, once you go upstream from the router to which you are connected, the other router will have no way of knowing if a client is supposed to be allowed access to the rest of the LAN or not.

Your only solution is to have one router, a couple of addittionnal access points, and implement VLANs to isolate those guests from the rest. Or to move to business-class devices which are designed for those kind of setups.

I tought that when you run a Guest Network it should run as a subnet

ex.
Main IP
10.100.0.5

Guest IP
10.100.2.5


When you convert the second and third router to AP Mode it still giving you the option of the Guest Network configuration so if it runs as a subnet the primary router should be able to detect the guests from the other routers and block the access to the intranet.

The problem that I found is that even if I unplug the two AP routers form the power, the primary router still mixing the users on the main network even if i disable or enable the intranet access. I test it from my cell phone that was conected to the guest network and i was able to access everything.

I also convert the other two routers as primary, run them by itself to see if the problem was fixed and they do the same.

I also update the firmware to the 3.0.0.4.378_9460-ge0bf238 version with no change.

Now my question is, why Asus create a router with 6 guest networks that doesn't work?.

Any ideas?

 

[RMerlin]

Every manufacturer's implementation is different. Linksys, for instance, implemented it as a captive portal.

Asus's implementation keeps everything within the same subnet, and relies on ebtables to block access to other interfaces on the router if you disable Intranet access. That's why it doesn't work with access points, as each AP can only control itself, not the rest of the LAN.

Asus's implementation works, it just doesn't let you use a multi-AP network like you want to do. It has its flaws as well as its advantages.

If even with just a single router setup the Access Intranet option doesn't work properly, then something must be broken. I know it used to be broken a few years ago, then it eventually got fixed. I haven't tested it myself in a long time, so I can't tell if it's broken again or not.

 

[RMerlin]

I just noticed you were using an RT-AC87U. DO you have the same issues on both the 2.4 and 5 GHz band (when in a single router mode)? If it's only broken on the 5 GHz band, then it's another of a long list of issues that are specific to the RT-AC87U, due to its dual firmware nature.

 

[digital68]

Yes, it has the problem on both 2.4 and 5